lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20140425211809.GC7050@order.stressinduktion.org>
Date:	Fri, 25 Apr 2014 23:18:09 +0200
From:	Hannes Frederic Sowa <hannes@...essinduktion.org>
To:	Lorenzo Colitti <lorenzo@...gle.com>
Cc:	Ben Hutchings <ben@...adent.org.uk>,
	Florian Westphal <fw@...len.de>,
	netdev <netdev@...r.kernel.org>,
	Vasiliy Kulikov <segoon@...nwall.com>
Subject: Re: [RFC][PATCH] IP: Make ping sockets optional

On Fri, Apr 25, 2014 at 07:37:02PM +0900, Lorenzo Colitti wrote:
> On Fri, Apr 25, 2014 at 1:37 AM, Hannes Frederic Sowa
> <hannes@...essinduktion.org> wrote:
> > The origins of this interface are in the openwall project. I assume
> > embedded devices were not that high up on their agenda.
> 
> One of the original discussion threads I posted above has a link to a
> lengthy discussion on why the original designers of this code thought
> capabilities were not a good idea from a security standpoint.

Hmm, maybe I have overlooked it but I have not found any references to
capabilities.

> > We absolutely cannot abandon the interface as it already is in use by
> > android, as Lorenzo stated.
> 
> Well, the fact that it's in use by Android doesn't mean it can't be
> made optional - Android can just turn the feature on in their kernels.
> It would be unfortunate if it were to be removed entirely.
> 
> > Will android switch to file based capabilities
> > in some time? Is that possible?
> 
> I think Android does support file capabilities. But this socket type
> is not just for the ping binary. The fact that this socket type is
> available to any binary allows any application developer to write an
> app that can send ping packets. That seems like a useful capability
> for a diagnostic app.

Ok, I see. There seem to be more users of this on Android. I guess ping
sockets are available to every application writer or will it be set
dynamically because of application permissions? Sorry, I am not that common
with android.

> On the other hand, it seems to me that giving that same diagnostic app
> CAP_NET_RAW would be unacceptable from a security point of view since
> that app would now be able to sniff all traffic on the system, with
> obvious privacy implications. There are also the usual security
> concerns such as what if an exploit is discovered in the ping binary,
> etc. etc.

Ack, that's why my first hunch was to introduce a new capability just for ping
sockets. I assume this wouldn't work for android?

> What's the problem with this code? Is it just the 10KB in size?

I thought it was mostly unused. But now I heard that android uses it,
this is actually not true any more.

Bye,

  Hannes

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ