lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Fri, 29 May 2015 11:14:11 -0500
From:	ebiederm@...ssion.com (Eric W. Biederman)
To:	Alexander Larsson <alexl@...hat.com>
Cc:	<netdev@...r.kernel.org>
Subject: Re: netlink and user namespaces

Alexander Larsson <alexl@...hat.com> writes:

> Now that I'm using a non-privileged user namespace for my desktop
> sandboxing system all kind of network status things are breaking. The
> reason for this is that they use netlink to enumerated interfaces, and
> to verify that the replies are from the kernel (apparently anyone can
> send anyone netlink messages) this code is verifying that the
> SCM_CREDENTIAL sender of the netlink messages is uid 0.
>
> For instance: 
> http://git.0pointer.net/avahi.git/commit/avahi-core/netlink.c?id=37b2be93e63ceff95698f24cd91cb11774eb621c
> and:
> https://git.gnome.org/browse/glib/tree/gio/gnetworkmonitornetlink.c#n340
>
> This obviously breaks when uid is not mapped (as it can't be in an
> unprivileged user namespace), as uid will be overflowuid.
>
> Is there any other way to check that a netlink message is from the
> kernel?

*scratches my head*  Those are weird pieces of code.

The answer is the way you do this with any other socket.

Call recvfrom or recvmsg.
Looking at the senders address.
If in the senders address nl_pid == 0 then the message is from
the kernel.  Otherwise the message is from userspace.

Looking anywhere else at anything else is bogus.

And a note.  nl_pid is short for netlink port id.  It is not a process id.

Eric
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ