From mboxrd@z Thu Jan 1 00:00:00 1970 From: Oliver Hartkopp Subject: Re: can-bus user permissions Date: Thu, 26 Jun 2014 19:55:57 +0200 Message-ID: <53AC5EAD.6010405@hartkopp.net> References: <1403777965.9016.9.camel@A1-Robi> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Return-path: Received: from mo4-p00-ob.smtp.rzone.de ([81.169.146.161]:35018 "EHLO mo4-p00-ob.smtp.rzone.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757808AbaFZR4A (ORCPT ); Thu, 26 Jun 2014 13:56:00 -0400 In-Reply-To: <1403777965.9016.9.camel@A1-Robi> Sender: linux-can-owner@vger.kernel.org List-ID: To: "Hodaszi, Robert" , "linux-can@vger.kernel.org" Hi Robert, On 26.06.2014 12:19, Hodaszi, Robert wrote: > A while ago, only root was able to access the can interfaces, except if > the CONFIG_CAN_RAW_USER or CONFIG_CAN_BCM_USER was defined. this has never been implemented in mainline Linux. There was an early implementation for this in the SocketCAN development - but is had been removed during the mainlining process. > > I would need a similar behavior: only some selected users or groups > should access the can interfaces, and nobody else. Is it possible to do > that somehow with the current kernel? Or should I modify it? > > (E.g. it would be perfect, if I could use it like in case of IP sockets: > iptables -A OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT > and DROP others, or something like this.) Good idea. Please try with the traffic control (tc) command. For a CAN related introduction see: http://rtime.felk.cvut.cz/can/socketcan-qdisc-final.pdf And http://wiki.wlug.org.nz/TrafficControl talks about the possibility to filter the traffic by sk-uid (uid from the skbuff) sk-gid (gid from the skbuff) As the CAN frames generated by CAN_RAW and CAN_BCM properly set the sk reference into the skbuff the access to the sk-uid value should work. Feel free to post an example here, if you made it working. Regards, Oliver