[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20151112142717.7144e931@xeon-e3>
Date: Thu, 12 Nov 2015 14:27:17 -0800
From: Stephen Hemminger <stephen@...workplumber.org>
To: "Jason A. Donenfeld" <Jason@...c4.com>
Cc: Austin S Hemmelgarn <ahferroin7@...il.com>,
David Miller <davem@...emloft.net>,
LKML <linux-kernel@...r.kernel.org>,
Netdev <netdev@...r.kernel.org>
Subject: Re: Is ndo_do_ioctl still acceptable?
On Thu, 12 Nov 2015 23:19:06 +0100
"Jason A. Donenfeld" <Jason@...c4.com> wrote:
> On Thu, Nov 12, 2015 at 9:30 PM, Austin S Hemmelgarn
> <ahferroin7@...il.com> wrote:
> >>
> > On the other hand, based on what you are saying about your device, it sounds
> > like you are working on some kind of cryptographically secured (either
> > authenticated or encrypted or both) tunnel, in which case the fact that
> > security is easier to handle with netlink than ioctls becomes important. If
> > you can't ensure security of the endpoint configuration, you can't ensure
> > security of the tunnel itself.
>
> Could you substantiate these claims that "security is easier to handle
> with netlink". I've never heard this and I don't know why it'd be the
> case. Are you referring to the fact that the copy_to/from_user dance
> of ioctl opens up more potential vulnerabilities than netlink's
> abstracted validation? Or something else? Just confused here...
It means that with netlink it possible to checks on field types and lengths
in generic manner. Ioctl's have the whole compat mess to deal with.
Also when using seccomp it is possible to write code to look at netlink
messages. With ioctl's that is much more difficult especially since the
same ioctl may have different meanings for each device type.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists