lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20171206.144003.2119311447846512879.davem@davemloft.net>
Date:   Wed, 06 Dec 2017 14:40:03 -0500 (EST)
From:   David Miller <davem@...emloft.net>
To:     cernekee@...omium.org
Cc:     johannes.berg@...el.com, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org, daniel@...earbox.net
Subject: Re: [PATCH] netlink: Add netns check on taps

From: Kevin Cernekee <cernekee@...omium.org>
Date: Tue,  5 Dec 2017 14:46:22 -0800

> Currently, a nlmon link inside a child namespace can observe systemwide
> netlink activity.  Filter the traffic so that in a non-init netns,
> nlmon can only sniff netlink messages from its own netns.
> 
> Test case:
> 
>     vpnns -- bash -c "ip link add nlmon0 type nlmon; \
>                       ip link set nlmon0 up; \
>                       tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" &
>     sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \
>         spi 0x1 mode transport \
>         auth sha1 0x6162633132330000000000000000000000000000 \
>         enc aes 0x00000000000000000000000000000000
>     grep abc123 /tmp/nlmon.pcap
> 
> Signed-off-by: Kevin Cernekee <cernekee@...omium.org>

Daniel, what behavior did you intend this to have?

Taps can see their own namespace only, or init_net is special
and can see all netlink activity.

I think letting init_net see everything could be confusing,
because there is no way to distinguish netlink events by
namespace just by looking at the messages that arrive at
the tap right?

So maybe own-namespace-only is the way to go.

Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ