From: "Michael S. Tsirkin" <mst@redhat.com>
To: Michael Stone <michael@laptop.org>
Cc: Anthony Liguori <anthony@codemonkey.ws>,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: disablenetwork (v5): Simplify the disablenetwork sendmsg hook.
Date: Sun, 17 Jan 2010 20:04:06 +0200 [thread overview]
Message-ID: <20100117180405.GA32339@redhat.com> (raw)
In-Reply-To: <20100117170431.GA2949@heat>
On Sun, Jan 17, 2010 at 12:04:32PM -0500, Michael Stone wrote:
> Michael Tsirkin wrote:
>> On Fri, Jan 15, 2010 at 03:12:46AM -0500, Michael Stone wrote:
>>> The idea is that calls like
>>>
>>> sendto(fd, buffer, len, 0, NULL, 0);
>>> send(fd, buffer, len, 0)
>>> write(fd, buffer, len)
>>>
>>> are all to be permitted but that calls like
>>>
>>> sendto(fd, buffer, len, 0, (struct sockadr *) &addr, sizeof(addr));
>>>
>>> are to be rejected when the current task's network is disabled on the grounds
>>> that the former calls must use previously connected sockets but that the latter
>>> socket need not have been previously connected.
>>>
>>> Signed-off-by: Michael Stone <michael@laptop.org>
>>
>> Michael, if I understand correctly, with this patch one could use
>> disablenetwork to pass an af_packet socket bound to a device to a
>> task, and make sure that the task does not use it to inject packets into
>> another device?
>
> Michael,
>
> Thanks for writing. If I understand you correctly, you're asking:
>
> May a network-disabled process use recvmsg() with SCM_RIGHTS control messages
> to receive a file descriptor pointing to previously connected or bound
> AF_PACKET socket and, having received such an fd, may the network-disabled
> process use the socket normally?
>
> If I've understood correctly, then the answer is "yes, to the extent that you
> can't do stupid things with sendmsg(), fnctl(), ioctl(), and friends."
>
> I intend to look more carefully at the ability to use those calls to do stupid
> things in coming weeks.
>
> Does this help?
>
> Regards,
>
> Michael
>
> P.S. - Incidentally, what is the nature of your interest?
We discussed using af_packet sockets for networking in qemu. qemu is a
large project so it might not be a great idea to run it as root all the
time: a better idea is to e.g. get fd from a priveledged server.
However, we'd like to limit qemu even more, so that it can only use the
fd for send/receive.
> (And was your question intentionally or accidentally off-list?)
Oops. Adding it back.
--
MST
next parent reply other threads:[~2010-01-17 18:04 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20100117161053.GG3420@redhat.com>
[not found] ` <20100117170431.GA2949@heat>
2010-01-17 18:04 ` Michael S. Tsirkin [this message]
2010-01-17 18:25 ` disablenetwork (v5): Simplify the disablenetwork sendmsg hook Alan Cox
2010-01-15 8:10 disablenetwork (v5) patches Michael Stone
2010-01-15 8:12 ` disablenetwork (v5): Simplify the disablenetwork sendmsg hook Michael Stone
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100117180405.GA32339@redhat.com \
--to=mst@redhat.com \
--cc=anthony@codemonkey.ws \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=michael@laptop.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).