using per-socket ipsec policies as user

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* using per-socket ipsec policies as user
@ 2012-11-11  6:21 Hannes Frederic Sowa
  2012-11-11  6:25 ` David Miller
  0 siblings, 1 reply; 3+ messages in thread
From: Hannes Frederic Sowa @ 2012-11-11  6:21 UTC (permalink / raw)
  To: netdev; +Cc: steffen.klassert

Hi list and Steffen,

in commit 6fc0b4a xfrm policy loading via setsockopt was restricted to CAP_NET_ADMIN. I
wondered if the situation of the xfrm interface got better since then or what
needs to be done to remove this restriction.

Greetings,

  Hannes

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: using per-socket ipsec policies as user
  2012-11-11  6:21 using per-socket ipsec policies as user Hannes Frederic Sowa
@ 2012-11-11  6:25 ` David Miller
  2012-11-11  6:38   ` Hannes Frederic Sowa
  0 siblings, 1 reply; 3+ messages in thread
From: David Miller @ 2012-11-11  6:25 UTC (permalink / raw)
  To: hannes; +Cc: netdev, steffen.klassert

From: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date: Sun, 11 Nov 2012 07:21:55 +0100

> in commit 6fc0b4a xfrm policy loading via setsockopt was restricted
> to CAP_NET_ADMIN. I wondered if the situation of the xfrm interface
> got better since then or what needs to be done to remove this
> restriction.

It's an intentional restrction and has a lot less to do with any
aspect of our implementation, but rather has more to do with what
operations we wish to allows non-privileged users to do or not.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: using per-socket ipsec policies as user
  2012-11-11  6:25 ` David Miller
@ 2012-11-11  6:38   ` Hannes Frederic Sowa
  0 siblings, 0 replies; 3+ messages in thread
From: Hannes Frederic Sowa @ 2012-11-11  6:38 UTC (permalink / raw)
  To: David Miller; +Cc: netdev, steffen.klassert

On Sun, Nov 11, 2012 at 01:25:51AM -0500, David Miller wrote:
> From: Hannes Frederic Sowa <hannes@stressinduktion.org>
> Date: Sun, 11 Nov 2012 07:21:55 +0100
> 
> > in commit 6fc0b4a xfrm policy loading via setsockopt was restricted
> > to CAP_NET_ADMIN. I wondered if the situation of the xfrm interface
> > got better since then or what needs to be done to remove this
> > restriction.
> 
> It's an intentional restrction and has a lot less to do with any
> aspect of our implementation, but rather has more to do with what
> operations we wish to allows non-privileged users to do or not.

The commit message indicated otherwise. But I am fine with that.

Thanks,

  Hannes

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2012-11-11  6:38 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-11-11  6:21 using per-socket ipsec policies as user Hannes Frederic Sowa
2012-11-11  6:25 ` David Miller
2012-11-11  6:38   ` Hannes Frederic Sowa

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).