| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 28 Jan 2023 09:40:05 -0800
From: Stephen Hemminger <stephen@...workplumber.org>
To: Jakub Kicinski <kuba@...nel.org>
Cc: Chuck Lever <chuck.lever@...cle.com>, netdev@...r.kernel.org,
hare@...e.com, dhowells@...hat.com, kolga@...app.com,
jmeneghi@...hat.com, bcodding@...hat.com, jlayton@...hat.com
Subject: Re: [PATCH v2 2/3] net/handshake: Add support for PF_HANDSHAKE
On Sat, 28 Jan 2023 00:32:12 -0800
Jakub Kicinski <kuba@...nel.org> wrote:
> On Thu, 26 Jan 2023 11:02:22 -0500 Chuck Lever wrote:
> > I've designed a way to pass a connected kernel socket endpoint to
> > user space using the traditional listen/accept mechanism. accept(2)
> > gives us a well-worn building block that can materialize a connected
> > socket endpoint as a file descriptor in a specific user space
> > process. Like any open socket descriptor, the accepted FD can then
> > be passed to a library such as GnuTLS to perform a TLS handshake.
>
> I can't bring myself to like the new socket family layer.
> I'd like a second opinion on that, if anyone within netdev
> is willing to share..
Why not just pass fd's with Unix Domain socket?
The application is going to need to be changed to handle new AF already.
Also, expanding the address families has security impacts as well.
Either all the container and LSM's need to deny your new AF or they need
to be taught to validate whether this a valid operation.
Powered by blists - more mailing lists