lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1398266428.7767.140.camel@deadeye.wl.decadent.org.uk>
Date:	Wed, 23 Apr 2014 16:20:28 +0100
From:	Ben Hutchings <ben@...adent.org.uk>
To:	netdev <netdev@...r.kernel.org>
Cc:	Vasiliy Kulikov <segoon@...nwall.com>
Subject: [RFC][PATCH] IP: Make ping sockets optional

ICMP ping sockets currently require a new ping binary and are only
available after setting a sysctl.  The code adds about 10K to the
(uncompressed) size of the kernel.  Make this optional and disable
it by default.

This is compile-tested only; I'd just like to see whether people think
this is worth doing.
---
 include/net/ping.h         | 16 ++++++++++++++++
 net/ipv4/Kconfig           | 10 ++++++++++
 net/ipv4/Makefile          |  4 +++-
 net/ipv4/af_inet.c         |  6 ++++++
 net/ipv4/sysctl_net_ipv4.c |  7 +++++++
 net/ipv6/Makefile          |  4 +++-
 net/ipv6/af_inet6.c        |  4 ++++
 7 files changed, 49 insertions(+), 2 deletions(-)

diff --git a/include/net/ping.h b/include/net/ping.h
index 026479b..d980ea7 100644
--- a/include/net/ping.h
+++ b/include/net/ping.h
@@ -13,6 +13,8 @@
 #ifndef _PING_H
 #define _PING_H
 
+#ifdef CONFIG_INET_PING
+
 #include <net/icmp.h>
 #include <net/netns/hash.h>
 
@@ -108,4 +110,18 @@ void __init ping_init(void);
 int  __init pingv6_init(void);
 void pingv6_exit(void);
 
+#else /* !CONFIG_INET_PING */
+
+static inline void ping_err(struct sk_buff *skb, int offset, u32 info) {}
+static inline void ping_rcv(struct sk_buff *skb) {}
+
+static inline int __init ping_proc_init(void) { return 0; }
+static inline void ping_proc_exit(void) {}
+
+static inline void __init ping_init(void) {}
+static inline int __init pingv6_init(void) { return 0; }
+static inline void pingv6_exit(void) {}
+
+#endif
+
 #endif /* _PING_H */
diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index 05c57f0..a3cb144 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -618,3 +618,13 @@ config TCP_MD5SIG
 	  on the Internet.
 
 	  If unsure, say N.
+
+config INET_PING
+	bool "ICMP: Ping sockets"
+	default n
+	---help---
+	  ICMP ping sockets allow 'ping' to be implemented without using a
+	  raw socket, so it does not need to be installed  setuid-root or
+	  setcap.  See <http://openwall.info/wiki/people/segoon/ping>.
+
+	  If unsure, say N.
diff --git a/net/ipv4/Makefile b/net/ipv4/Makefile
index f032688..85f65fc 100644
--- a/net/ipv4/Makefile
+++ b/net/ipv4/Makefile
@@ -11,7 +11,7 @@ obj-y     := route.o inetpeer.o protocol.o \
 	     tcp_offload.o datagram.o raw.o udp.o udplite.o \
 	     udp_offload.o arp.o icmp.o devinet.o af_inet.o igmp.o \
 	     fib_frontend.o fib_semantics.o fib_trie.o \
-	     inet_fragment.o ping.o ip_tunnel_core.o gre_offload.o
+	     inet_fragment.o ip_tunnel_core.o gre_offload.o
 
 obj-$(CONFIG_NET_IP_TUNNEL) += ip_tunnel.o
 obj-$(CONFIG_SYSCTL) += sysctl_net_ipv4.o
@@ -56,3 +56,5 @@ obj-$(CONFIG_NETLABEL) += cipso_ipv4.o
 
 obj-$(CONFIG_XFRM) += xfrm4_policy.o xfrm4_state.o xfrm4_input.o \
 		      xfrm4_output.o xfrm4_protocol.o
+
+obj-$(CONFIG_INET_PING) += ping.o
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 8c54870..3819b1d 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -1016,6 +1016,7 @@ static struct inet_protosw inetsw_array[] =
 		.flags =      INET_PROTOSW_PERMANENT,
        },
 
+#ifdef CONFIG_INET_PING
        {
 		.type =       SOCK_DGRAM,
 		.protocol =   IPPROTO_ICMP,
@@ -1024,6 +1025,7 @@ static struct inet_protosw inetsw_array[] =
 		.no_check =   UDP_CSUM_DEFAULT,
 		.flags =      INET_PROTOSW_REUSE,
        },
+#endif
 
        {
 	       .type =       SOCK_RAW,
@@ -1719,9 +1721,11 @@ static int __init inet_init(void)
 	if (rc)
 		goto out_unregister_udp_proto;
 
+#ifdef CONFIG_INET_PING
 	rc = proto_register(&ping_prot, 1);
 	if (rc)
 		goto out_unregister_raw_proto;
+#endif
 
 	/*
 	 *	Tell SOCKET that we are alive...
@@ -1810,8 +1814,10 @@ static int __init inet_init(void)
 	rc = 0;
 out:
 	return rc;
+#ifdef CONFIG_INET_PING
 out_unregister_raw_proto:
 	proto_unregister(&raw_prot);
+#endif
 out_unregister_udp_proto:
 	proto_unregister(&udp_prot);
 out_unregister_tcp_proto:
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 44eba05..bf87094 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -39,8 +39,10 @@ static int ip_ttl_min = 1;
 static int ip_ttl_max = 255;
 static int tcp_syn_retries_min = 1;
 static int tcp_syn_retries_max = MAX_TCP_SYNCNT;
+#ifdef CONFIG_INET_PING
 static int ip_ping_group_range_min[] = { 0, 0 };
 static int ip_ping_group_range_max[] = { GID_T_MAX, GID_T_MAX };
+#endif
 
 /* Update system visible IP port range */
 static void set_local_port_range(struct net *net, int range[2])
@@ -82,6 +84,7 @@ static int ipv4_local_port_range(struct ctl_table *table, int write,
 	return ret;
 }
 
+#ifdef CONFIG_INET_PING
 
 static void inet_get_ping_group_range_table(struct ctl_table *table, kgid_t *low, kgid_t *high)
 {
@@ -145,6 +148,8 @@ static int ipv4_ping_group_range(struct ctl_table *table, int write,
 	return ret;
 }
 
+#endif /* CONFIG_INET_PING */
+
 static int proc_tcp_congestion_control(struct ctl_table *ctl, int write,
 				       void __user *buffer, size_t *lenp, loff_t *ppos)
 {
@@ -803,6 +808,7 @@ static struct ctl_table ipv4_net_table[] = {
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec
 	},
+#ifdef CONFIG_INET_PING
 	{
 		.procname	= "ping_group_range",
 		.data		= &init_net.ipv4.sysctl_ping_group_range,
@@ -810,6 +816,7 @@ static struct ctl_table ipv4_net_table[] = {
 		.mode		= 0644,
 		.proc_handler	= ipv4_ping_group_range,
 	},
+#endif
 	{
 		.procname	= "tcp_ecn",
 		.data		= &init_net.ipv4.sysctl_tcp_ecn,
diff --git a/net/ipv6/Makefile b/net/ipv6/Makefile
index 2fe6836..b8e0488 100644
--- a/net/ipv6/Makefile
+++ b/net/ipv6/Makefile
@@ -7,7 +7,7 @@ obj-$(CONFIG_IPV6) += ipv6.o
 ipv6-objs :=	af_inet6.o anycast.o ip6_output.o ip6_input.o addrconf.o \
 		addrlabel.o \
 		route.o ip6_fib.o ipv6_sockglue.o ndisc.o udp.o udplite.o \
-		raw.o icmp.o mcast.o reassembly.o tcp_ipv6.o ping.o \
+		raw.o icmp.o mcast.o reassembly.o tcp_ipv6.o \
 		exthdrs.o datagram.o ip6_flowlabel.o inet6_connection_sock.o
 
 ipv6-offload :=	ip6_offload.o tcpv6_offload.o udp_offload.o exthdrs_offload.o
@@ -45,3 +45,5 @@ obj-y += addrconf_core.o exthdrs_core.o ip6_checksum.o ip6_icmp.o
 obj-$(CONFIG_INET) += output_core.o protocol.o $(ipv6-offload)
 
 obj-$(subst m,y,$(CONFIG_IPV6)) += inet6_hashtables.o
+
+obj-$(CONFIG_INET_PING) += ping.o
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index d935889..7599ed8 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -861,9 +861,11 @@ static int __init inet6_init(void)
 	if (err)
 		goto out_unregister_udplite_proto;
 
+#ifdef CONFIG_INET_PING
 	err = proto_register(&pingv6_prot, 1);
 	if (err)
 		goto out_unregister_ping_proto;
+#endif
 
 	/* We MUST register RAW sockets before we create the ICMP6,
 	 * IGMP6, or NDISC control sockets.
@@ -1021,8 +1023,10 @@ register_pernet_fail:
 	rtnl_unregister_all(PF_INET6);
 out_sock_register_fail:
 	rawv6_exit();
+#ifdef CONFIG_INET_PING
 out_unregister_ping_proto:
 	proto_unregister(&pingv6_prot);
+#endif
 out_unregister_raw_proto:
 	proto_unregister(&rawv6_prot);
 out_unregister_udplite_proto:

-- 
Ben Hutchings
Beware of programmers who carry screwdrivers. - Leonard Brandwein

Download attachment "signature.asc" of type "application/pgp-signature" (812 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ