From: Jakub Kicinski <kuba@kernel.org>
To: Vishnu Santhosh <vishnu.santhosh@oss.qualcomm.com>
Cc: Manivannan Sadhasivam <mani@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,
linux-arm-msm@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, bjorn.andersson@oss.qualcomm.com,
chris.lew@oss.qualcomm.com,
Deepak Kumar Singh <deepak.singh@oss.qualcomm.com>
Subject: Re: [PATCH] net: qrtr: Expand control port access to root
Date: Fri, 6 Feb 2026 18:36:57 -0800 [thread overview]
Message-ID: <20260206183657.0477e50a@kernel.org> (raw)
In-Reply-To: <20260205-qrtr-control-port-access-permission-v1-1-e900039e92d5@oss.qualcomm.com>
On Thu, 05 Feb 2026 13:51:31 +0530 Vishnu Santhosh wrote:
> When qrtr is loaded as module, qrtr-ns runs from SELinux kmod_t
> domain. On targets using upstream SELinux policies, this domain
> does not receive CAP_NET_ADMIN, which prevents it from binding
> control port even though qrtr-ns is a trusted system component.
>
> Granting kmod_t the CAP_NET_ADMIN capability in policy is possible,
> but not desirable, as kmod_t is not expected to perform networking
> operations and widening its capability set is discouraged.
>
> To address this in a contained way within qrtr, extend the control
> port permission check to allow binding when either:
>
> - the process has CAP_NET_ADMIN, or
> - the process belongs to GLOBAL_ROOT_GID (root-equivalent tasks)
>
> This permits qrtr-ns to successfully bind its control port in
> kmod_t restricted environments without broadening SELinux capability
> assignments.
This really feels like a one-off hack, but it's far from my area
of expertise.. Could you get an ack or review tag from some kernel
maintainer working on security, capabilities or permissions?
--
pw-bot: defer
next prev parent reply other threads:[~2026-02-07 2:36 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-05 8:21 [PATCH] net: qrtr: Expand control port access to root Vishnu Santhosh
2026-02-06 3:59 ` Jijie Shao
2026-02-07 2:34 ` Jakub Kicinski
2026-02-09 1:27 ` Jijie Shao
2026-02-07 2:36 ` Jakub Kicinski [this message]
2026-02-11 17:20 ` Manivannan Sadhasivam
2026-02-11 18:37 ` Stephen Smalley
2026-02-18 9:17 ` Vishnu Santhosh
2026-02-11 14:06 ` Bjorn Andersson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260206183657.0477e50a@kernel.org \
--to=kuba@kernel.org \
--cc=bjorn.andersson@oss.qualcomm.com \
--cc=chris.lew@oss.qualcomm.com \
--cc=davem@davemloft.net \
--cc=deepak.singh@oss.qualcomm.com \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mani@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=vishnu.santhosh@oss.qualcomm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.