From: "Michael S. Tsirkin" <mst@redhat.com>
To: Michael Stone <michael@laptop.org>
Cc: Anthony Liguori <anthony@codemonkey.ws>,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: disablenetwork (v5): Simplify the disablenetwork sendmsg hook.
Date: Sun, 17 Jan 2010 20:04:06 +0200 [thread overview]
Message-ID: <20100117180405.GA32339@redhat.com> (raw)
In-Reply-To: <20100117170431.GA2949@heat>
On Sun, Jan 17, 2010 at 12:04:32PM -0500, Michael Stone wrote:
> Michael Tsirkin wrote:
>> On Fri, Jan 15, 2010 at 03:12:46AM -0500, Michael Stone wrote:
>>> The idea is that calls like
>>>
>>> sendto(fd, buffer, len, 0, NULL, 0);
>>> send(fd, buffer, len, 0)
>>> write(fd, buffer, len)
>>>
>>> are all to be permitted but that calls like
>>>
>>> sendto(fd, buffer, len, 0, (struct sockadr *) &addr, sizeof(addr));
>>>
>>> are to be rejected when the current task's network is disabled on the grounds
>>> that the former calls must use previously connected sockets but that the latter
>>> socket need not have been previously connected.
>>>
>>> Signed-off-by: Michael Stone <michael@laptop.org>
>>
>> Michael, if I understand correctly, with this patch one could use
>> disablenetwork to pass an af_packet socket bound to a device to a
>> task, and make sure that the task does not use it to inject packets into
>> another device?
>
> Michael,
>
> Thanks for writing. If I understand you correctly, you're asking:
>
> May a network-disabled process use recvmsg() with SCM_RIGHTS control messages
> to receive a file descriptor pointing to previously connected or bound
> AF_PACKET socket and, having received such an fd, may the network-disabled
> process use the socket normally?
>
> If I've understood correctly, then the answer is "yes, to the extent that you
> can't do stupid things with sendmsg(), fnctl(), ioctl(), and friends."
>
> I intend to look more carefully at the ability to use those calls to do stupid
> things in coming weeks.
>
> Does this help?
>
> Regards,
>
> Michael
>
> P.S. - Incidentally, what is the nature of your interest?
We discussed using af_packet sockets for networking in qemu. qemu is a
large project so it might not be a great idea to run it as root all the
time: a better idea is to e.g. get fd from a priveledged server.
However, we'd like to limit qemu even more, so that it can only use the
fd for send/receive.
> (And was your question intentionally or accidentally off-list?)
Oops. Adding it back.
--
MST
next parent reply other threads:[~2010-01-17 18:07 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20100117161053.GG3420@redhat.com>
[not found] ` <20100117170431.GA2949@heat>
2010-01-17 18:04 ` Michael S. Tsirkin [this message]
2010-01-17 18:25 ` disablenetwork (v5): Simplify the disablenetwork sendmsg hook Alan Cox
2010-01-15 8:10 disablenetwork (v5) patches Michael Stone
2010-01-15 8:12 ` disablenetwork (v5): Simplify the disablenetwork sendmsg hook Michael Stone
2010-01-15 8:12 ` Michael Stone
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100117180405.GA32339@redhat.com \
--to=mst@redhat.com \
--cc=anthony@codemonkey.ws \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=michael@laptop.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.