From: Vincent Bernat <vincent@bernat.ch>
To: David Ahern <dsahern@gmail.com>
Cc: David Miller <davem@davemloft.net>,
netdev@vger.kernel.org, Laurent Fasnacht <fasnacht@protonmail.ch>
Subject: Re: [PATCH net-next v2] net: core: enable SO_BINDTODEVICE for non-root users
Date: Tue, 27 Oct 2020 08:17:41 +0100 [thread overview]
Message-ID: <87tuugkui2.fsf@bernat.ch> (raw)
In-Reply-To: <ac5341e0-2ed7-2cfb-ec96-5e063fca9598@gmail.com> (David Ahern's message of "Fri, 23 Oct 2020 08:40:31 -0600")
❦ 23 octobre 2020 08:40 -06, David Ahern:
>> I am wondering if we should revert the patch for 5.10 while we can,
>> waiting for a better solution (and breaking people relying on the new
>> behavior in 5.9).
>>
>> Then, I can propose a patch with a sysctl to avoid breaking existing
>> setups.
>>
>
> I have not walked the details, but it seems like a security policy can
> be installed to get the previous behavior.
libtorrent is using SO_BINDTODEVICE for some reason (code is quite old,
so not git history). Previously, the call was unsuccesful and the error
was logged and ignored. Now, it succeeds and circumvent the routing
policy. Using Netfiler does not help as libtorrent won't act on dropped
packets as the socket is already configured on the wrong interface.
kprobe is unable to modify a syscall and seccomp cannot be applied
globally. LSM are usually distro specific. What kind of security policy
do you have in mind?
Thanks.
--
Don't over-comment.
- The Elements of Programming Style (Kernighan & Plauger)
next prev parent reply other threads:[~2020-10-27 7:17 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-31 13:20 [PATCH net-next v2] net: core: enable SO_BINDTODEVICE for non-root users Vincent Bernat
2020-04-02 17:31 ` David Ahern
2020-04-03 0:47 ` David Miller
2020-10-23 10:02 ` Vincent Bernat
2020-10-23 14:40 ` David Ahern
2020-10-27 7:17 ` Vincent Bernat [this message]
2020-10-28 15:22 ` David Ahern
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87tuugkui2.fsf@bernat.ch \
--to=vincent@bernat.ch \
--cc=davem@davemloft.net \
--cc=dsahern@gmail.com \
--cc=fasnacht@protonmail.ch \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).