can-bus user permissions

can-bus user permissions

[Hodaszi, Robert]

Hi,

A while ago, only root was able to access the can interfaces, except if
the CONFIG_CAN_RAW_USER or CONFIG_CAN_BCM_USER was defined.

I would need a similar behavior: only some selected users or groups
should access the can interfaces, and nobody else. Is it possible to do
that somehow with the current kernel? Or should I modify it?

(E.g. it would be perfect, if I could use it like in case of IP sockets:
iptables -A OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT
and DROP others, or something like this.)

Thanks!
-- 
Robert Hodaszi

Re: can-bus user permissions

[Oliver Hartkopp]

Hi Robert,

On 26.06.2014 12:19, Hodaszi, Robert wrote:

> A while ago, only root was able to access the can interfaces, except if
> the CONFIG_CAN_RAW_USER or CONFIG_CAN_BCM_USER was defined.

this has never been implemented in mainline Linux. There was an early
implementation for this in the SocketCAN development - but is had been removed
during the mainlining process.

> 
> I would need a similar behavior: only some selected users or groups
> should access the can interfaces, and nobody else. Is it possible to do
> that somehow with the current kernel? Or should I modify it?
> 
> (E.g. it would be perfect, if I could use it like in case of IP sockets:
> iptables -A OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT
> and DROP others, or something like this.)

Good idea.

Please try with the traffic control (tc) command.

For a CAN related introduction see:
http://rtime.felk.cvut.cz/can/socketcan-qdisc-final.pdf

And http://wiki.wlug.org.nz/TrafficControl talks about the possibility to
filter the traffic by

	sk-uid (uid from the skbuff)
	sk-gid (gid from the skbuff)

As the CAN frames generated by CAN_RAW and CAN_BCM properly set the sk
reference into the skbuff the access to the sk-uid value should work.

Feel free to post an example here, if you made it working.

Regards,
Oliver