From: Eric Biggers <ebiggers@kernel.org>
To: Andy Lutomirski <luto@amacapital.net>
Cc: linux-crypto@vger.kernel.org,
Herbert Xu <herbert@gondor.apana.org.au>,
linux-doc@vger.kernel.org, linux-api@vger.kernel.org,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [PATCH] crypto: af_alg - Document the deprecation of AF_ALG
Date: Tue, 5 May 2026 17:17:40 -0700 [thread overview]
Message-ID: <20260506001740.GA67098@quark> (raw)
In-Reply-To: <CALCETrVqG+1yErRJjkxvJrf=A+Vu84HTR4Bx1Pcd8G1C0PJcMA@mail.gmail.com>
On Tue, May 05, 2026 at 04:17:18PM -0700, Andy Lutomirski wrote:
> > On Apr 29, 2026, at 6:19 PM, Eric Biggers <ebiggers@kernel.org> wrote:
> >
> > AF_ALG is almost completely unnecessary, and it exposes a massive attack
> > surface that hasn't been standing up to modern vulnerability discovery
> > tools. The latest one even has its own website, providing a small
> > Python script that reliably roots most Linux distros: https://copy.fail/
>
> How about adding a configuration option, defaulted on, that requires
> capable(CAP_SYS_ADMIN) to create the socket (and maybe also to bind /
> connect it). And a sysctl to allow the administrator to override this
> in the unlikely event that it’s needed.
>
> IIRC cryptsetup used to and maybe even still does require these
> sockets sometimes and this would let it keep working. And there's all
> the FIPS stuff downthread.
Yes, I'd like to add a default-on requirement to hold a capability in
the initial user namespace. We're trying to figure out the details.
It sounds like iwd runs with CAP_NET_ADMIN, not necessarily
CAP_SYS_ADMIN. So it may need to be:
has_capability_noaudit(current, CAP_NET_ADMIN) || capable(CAP_SYS_ADMIN)
iwd is being discussed in the thread
https://lore.kernel.org/linux-crypto/bcbbef00-5881-421b-8892-7be6c04b832d@gmail.com/
cryptsetup is normally run with CAP_SYS_ADMIN, but not always (e.g.,
'cryptsetup benchmark'). It might be acceptable for users to add sudo
in the exceptional cases. cryptsetup is being discussed in the thread
https://lore.kernel.org/linux-crypto/5dd3be22-13fb-41fb-b469-1ae6472200b1@gmail.com/
bluez needs investigation.
- Eric
prev parent reply other threads:[~2026-05-06 0:17 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-30 1:15 [PATCH] crypto: af_alg - Document the deprecation of AF_ALG Eric Biggers
2026-04-30 2:05 ` Herbert Xu
2026-04-30 2:10 ` Eric Biggers
2026-05-04 14:39 ` Jon Kohler
2026-05-04 17:39 ` Eric Biggers
2026-05-04 18:12 ` Jeff Barnes
2026-05-04 18:24 ` Eric Biggers
2026-05-04 18:27 ` Simo Sorce
2026-05-04 17:41 ` Jeff Barnes
2026-05-05 9:31 ` Herbert Xu
2026-05-05 23:17 ` Andy Lutomirski
2026-05-06 0:17 ` Eric Biggers [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260506001740.GA67098@quark \
--to=ebiggers@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=linux-api@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=netdev@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox