lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 13 Jun 2016 07:52:30 -0400
From:	Jamal Hadi Salim <jhs@...atatu.com>
To:	Daniel Borkmann <daniel@...earbox.net>,
	David Miller <davem@...emloft.net>
Cc:	netdev@...r.kernel.org, xiyou.wangcong@...il.com
Subject: Re: [net-next PATCH v2 1/1] net sched actions: skbedit add support
 for mod-ing skb pkt_type

On 16-06-13 04:00 AM, Daniel Borkmann wrote:
> Hi Jamal,
>
> On 06/12/2016 11:24 PM, Jamal Hadi Salim wrote:
>> From: Jamal Hadi Salim <hadi@...atatu.com>
>>
>> Extremely useful for setting packet type to host so i dont
>> have to modify the dst mac address using pedit (which requires
>> that i know the mac address)
>>
>> Signed-off-by: Jamal Hadi Salim <jhs@...atatu.com>
>
> I'm wondering if this is a good idea, I was thinking about something
> like this as well some time ago.

Good ;-> What was your uses case?
In my case it is mostly to allow packets coming into the system
with the wrong MAC address (but correct IP address).
I dont want to keep checking what the MAC address is and adding
a rule to change it before it goes up the stack.

> So far pkt_type is just exposed as
> read-only to user space right now and I'm a bit worried that when we
> allow to set it arbitrarily, then this could lead to hard to debug
> issues since skb->pkt_type is used in a lot of places with possibly
> different assumptions and applications now need to mistrust the kernel
> whether skb->pkt_type was actually what the kernel itself set in the
> first place or skbedit with possibly some nonsense value (like rewriting
> PACKET_OUTGOING into PACKET_LOOPBACK, etc).

Separation of church from state.
In Unix we allow people to shoot their big toe if they want to.
If someone wants to change the destination MAC address to something
stupid they can. If someone wants to set the skbmark they can.
They'll find out it is a bad idea pretty quickly if it was not
what they intended. This is no different.

>Did you audit that this is safe?

Do you see a security issue? then that would need an audit.

cheers,
jamal

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ