lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sun, 15 Mar 2020 20:36:10 -0600
From:   David Ahern <dsahern@...il.com>
To:     David Miller <davem@...emloft.net>, vincent@...nat.ch
Cc:     netdev@...r.kernel.org, kuba@...nel.org, edumazet@...gle.com,
        kafai@...com
Subject: Re: [RFC PATCH net-next v1] net: core: enable SO_BINDTODEVICE for
 non-root users

On 3/15/20 6:02 PM, David Miller wrote:
> From: Vincent Bernat <vincent@...nat.ch>
> Date: Sun, 15 Mar 2020 16:59:11 +0100
> 
>> Currently, SO_BINDTODEVICE requires CAP_NET_RAW. This change allows a
>> non-root user to bind a socket to an interface if it is not already
>> bound. This is useful to allow an application to bind itself to a
>> specific VRF for outgoing or incoming connections. Currently, an
>> application wanting to manage connections through several VRF need to
>> be privileged. Moreover, I don't see a reason why an application
>> couldn't restrict its own scope. Such a privilege is already possible
>> with UDP through IP_UNICAST_IF.
> 
> It could be argued that IP_UNICAST_IF and similar should be privileged
> as well.
> 
> When the administrator sets up the routes, they don't expect that
> arbitrary user applications can "escape" the route configuration by
> specifying the interface so readily.
> 

Hi Dave:

As a reminder, there are currently 3 APIs to specify a preferred device
association which influences route lookups:

1. SO_BINDTODEVICE - sets sk_bound_dev_if and is the strongest binding
(ie., can not be overridden),

2. IP_UNICAST_IF / IPV6_UNICAST_IF - sets uc_index / ucast_oif and is
sticky for a socket, and

3. IP_PKTINFO / IPV6_PKTINFO - which is per message.

The first, SO_BINDTODEVICE, requires root privileges. The last 2 do not
require root privileges but only apply to raw and UDP sockets making TCP
the outlier.

Further, a downside to the last 2 is that they work for sendmsg only;
there is no way to definitively match a response to the sending socket.
The key point is that UDP and raw have multiple non-root APIs to dictate
a preferred device for sending messages.

Vincent's patch simplifies things quite a bit - allowing consistency
across the protocols and directions - but without overriding any
administrator settings (e.g., inherited bindings via ebpf programs).

Powered by blists - more mailing lists