From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jiri Benc Subject: Re: [PATCH 5/5] net: Use netlink_ns_capable to verify the permisions of netlink messages Date: Thu, 22 May 2014 17:05:05 +0200 Message-ID: <20140522170505.64ef87a2@griffin> References: <87d2g7d9ag.fsf_-_@x220.int.ebiederm.org> <536AB151.2070804@dti2.net> <20140507.185256.496391962242529591.davem@davemloft.net> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: Linus Torvalds , David Miller , "Jorge Boncompte [DTI2]" , "Eric W. Biederman" , Vivek Goyal , Simo Sorce , "security@kernel.org" , Network Development , "Serge E. Hallyn" To: Andy Lutomirski Return-path: Received: from mx1.redhat.com ([209.132.183.28]:59854 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751418AbaEVPFV (ORCPT ); Thu, 22 May 2014 11:05:21 -0400 In-Reply-To: Sender: netdev-owner@vger.kernel.org List-ID: On Wed, 7 May 2014 16:45:10 -0700, Andy Lutomirski wrote: > It looks like Zebra is mucking with its effective set. It creates the > socket w/o effective caps, raises them to bind (no clue why), lowers > them post-bind, then raises them again to sendto. Presumably the new > checks cause the sendto to fail b/c the socket()-time credentials were > insufficient. > > I don't see why it bound w/ elevated permissions, since I don't think > this is important. And it never connected at all. > > Hence my suggestion that we check permissions at connect time instead > of socket() time and that we just check send-time permissions on an > unconnected socket. Yes, this is awful. AFAIK this is still unresolved and this seems to be the only solution proposed so far that fixes the security problem and does not break zebra. Or have I missed something and the conclusion is zebra needs to be modified to comply with the changed semantics? Jiri -- Jiri Benc