lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CALCETrUHTwGJcV1vVd-Fh2sRdn32CDEc_+_EyrE8c0BYRTyumw@mail.gmail.com>
Date:	Sun, 25 May 2014 09:27:43 -0700
From:	Andy Lutomirski <luto@...capital.net>
To:	"Eric W. Biederman" <ebiederm@...ssion.com>
Cc:	Linus Torvalds <torvalds@...ux-foundation.org>,
	Jiri Benc <jbenc@...hat.com>,
	David Miller <davem@...emloft.net>,
	"Jorge Boncompte [DTI2]" <jorge@...2.net>,
	Vivek Goyal <vgoyal@...hat.com>,
	Simo Sorce <ssorce@...hat.com>,
	"security@...nel.org" <security@...nel.org>,
	Network Development <netdev@...r.kernel.org>,
	"Serge E. Hallyn" <serge@...lyn.com>
Subject: Re: [PATCH 5/5] net: Use netlink_ns_capable to verify the permisions
 of netlink messages

On Sat, May 24, 2014 at 10:45 PM, Eric W. Biederman
<ebiederm@...ssion.com> wrote:
> Linus Torvalds <torvalds@...ux-foundation.org> writes:
>
>> On Fri, May 23, 2014 at 4:25 PM, Eric W. Biederman
>> <ebiederm@...ssion.com> wrote:
>>>
>>> I have not seen consensus that what Zebra is doing makes sense to
>>> support.
>>
>> Eric, stop right there.
>>
>> There is no "sensible to support". There is only "reality".
>>
>> The thing that makes "reality" be "reality" is that it exists whether
>> you like it or not, or whether you believe in it or not.
>>
>> We don't break applications. Whether you like them or not is
>> completely immaterial.
>
> You stop right there.  You are shooting the messenger.
>
> I like Zebra just fine, and I hate breaking applications.
>
> We don't retain bug compatibility when the semantics of kernel
> interfaces are security vulnerabilities.
>
> I don't appreciate being shot when I am just the messenger saying that
> there is not a known fix for Zebra, that it might be unfixable, and that
> no one had thought of a anything.
>
> What Andy Lutormiski suggested of checking permissions at connect time
> will break a whole lot more than just Zebra.  Unprivileged connect is a
> supported feature in netlink, and all information rtnetlink queries
> are non-privileged as is listening to rtnetlink brodacsts of network
> state chagnes.

I'm suggesting that the connect syscall store creds or maybe just the
outcome of ns_capable(socket's netns, CAP_NET_ADMIN).  Yes, this is
ugly and kludgey.

I suspect that damn near nothing actually calls connect on netlink
sockets, except for my PoC exploit.  Unprivileged sendto and bind are
important features, but they're not the same thing.  In any event, I'm
not actually proposing removing the ability for unprivileged programs
to call connect on netlink sockets.

>
> In concrete form, no special privileges are requires to run "ip link" or
> "ip monitor".  Those among other commands are what Andy has proposed
> breaking, all in the name of "supporting" Zebra.

Nope.  See above.

ip monitor doesn't call connect.  Neither does ip link, at least in
its iproute2 incarnation.

--Andy
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ