From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
To: stsp <stsp2@yandex.ru>,
Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
Ondrej Mosnacek <omosnace@redhat.com>
Cc: Willem de Bruijn <willemb@google.com>,
Jason Wang <jasowang@redhat.com>,
Jakub Kicinski <kuba@kernel.org>,
network dev <netdev@vger.kernel.org>,
Linux Security Module list
<linux-security-module@vger.kernel.org>,
SElinux list <selinux@vger.kernel.org>
Subject: Re: Possible mistake in commit 3ca459eaba1b ("tun: fix group permission check")
Date: Thu, 30 Jan 2025 11:46:27 -0500 [thread overview]
Message-ID: <679bace3a753f_1d35f32942d@willemb.c.googlers.com.notmuch> (raw)
In-Reply-To: <04879909-72e5-4ab6-8c28-5d3cb551feb5@yandex.ru>
stsp wrote:
> 29.01.2025 17:12, Willem de Bruijn пишет:
> > stsp wrote:
> >> 29.01.2025 01:59, Willem de Bruijn пишет:
> >>> stsp wrote:
> >>>> By doing that you indeed avoid
> >>>> the problem of "completely
> >>>> inaccessible tap". However, that
> >>>> breaks my setup, as I really
> >>>> intended to provide tap to the
> >>>> owner and the unrelated group.
> >>>> This is because, eg when setting
> >>>> a CI job, you can add the needed
> >>>> user to the needed group, but
> >>>> you also need to re-login, which
> >>>> is not always possible. :(
> >>> Could you leave tun->owner unset?
> >> That's exactly the problem: when
> >> the user is not in the needed group,
> >> then you need to unset _both_.
> >> Unsetting only owner is not enough.
> >> Adding the user to the group is not
> >> enough because then you need to
> >> re-login (bad for CI jobs).
> > At some point we can question whether the issue is with the setup,
> > rather than the kernel mechanism.
> >
> > Why does your setup have an initial user that lacks the group
> > permissions of the later processes, and a tun instance that has both
> > owner and group constraints set?
> >
> > Can this be fixed in userspace, rather than allow this odd case in the
> > kernel. Is it baked deeply into common containerization tools, say?
>
> No-no, its not a real or unfixible
> problem. At the end, I can just
> drop both group and user ownership
> of the TAP, and simply not to care.
In that case the safest course of action is to revert the patch.
It relaxes some access control restrictions that other users may have
come to depend on.
Say, someone expects that no process can use the device until it
adds the user to one of the groups.
It's farfetched, but in cases of access control, err on the side of
caution. Especially retroactively.
> My aforementioned attempt to
> allow changing suppl groups, was
> not directed to this particular case -
> inability to change suppl groups
> create much bigger problems in
> other areas, but my TAP problem
> is really very small.
> Which is why, eg if you decide to
> use "either-or" semantic - fine with
> me. I just think that completely
> reverting the patch is a sub-optimal
> choice, as the previous situation
> was even more broken than now.
>
next prev parent reply other threads:[~2025-01-30 16:46 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-27 9:10 Possible mistake in commit 3ca459eaba1b ("tun: fix group permission check") Ondrej Mosnacek
2025-01-27 10:00 ` stsp
2025-01-27 14:50 ` Willem de Bruijn
2025-01-27 14:58 ` stsp
2025-01-28 14:20 ` Ondrej Mosnacek
2025-01-28 14:45 ` stsp
2025-01-28 14:58 ` stsp
2025-01-28 15:04 ` Willem de Bruijn
2025-01-28 17:49 ` stsp
2025-01-28 22:59 ` Willem de Bruijn
2025-01-29 6:59 ` stsp
2025-01-29 14:12 ` Willem de Bruijn
2025-01-29 14:27 ` stsp
2025-01-30 16:46 ` Willem de Bruijn [this message]
2025-02-04 0:29 ` Paul Moore
2025-02-04 16:18 ` Ondrej Mosnacek
2025-02-04 19:40 ` Paul Moore
2025-02-06 3:04 ` Willem de Bruijn
2025-01-29 14:19 ` Willem de Bruijn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=679bace3a753f_1d35f32942d@willemb.c.googlers.com.notmuch \
--to=willemdebruijn.kernel@gmail.com \
--cc=jasowang@redhat.com \
--cc=kuba@kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=selinux@vger.kernel.org \
--cc=stsp2@yandex.ru \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).