From: Lorenzo Colitti <lorenzo@google.com>
To: David Ahern <dsa@cumulusnetworks.com>
Cc: "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
Eric Dumazet <eric.dumazet@gmail.com>,
David Miller <davem@davemloft.net>, Erik Kline <ek@google.com>
Subject: Re: [PATCH net-next v2 2/2] net: diag: allow socket bytecode filters to match socket marks
Date: Thu, 25 Aug 2016 00:03:02 +0900 [thread overview]
Message-ID: <CAKD1Yr35Tvi03fpE14j0dk8DuhAWs6KRekd3DzOeq7Hf97CUJg@mail.gmail.com> (raw)
In-Reply-To: <77441548-8f56-08de-4b76-00ed404a6ffe@cumulusnetworks.com>
On Wed, Aug 24, 2016 at 11:35 PM, David Ahern <dsa@cumulusnetworks.com> wrote:
> sock_diag_destroy already requires ADMIN for destroying sockets, so adding here just prevents listing them. Given that and the fact that the diag API does not pass the mark value is there a reason to add the extra ADMIN check?
Even though the API does not return the mark value, this code allows
the caller to find the mark of any socket simply by performing n=32
socket dumps, each filtering for a mark/mask of 1<<n/1<<n. Each such
dump will reveal bit n in the mark of all sockets in the system.
If you consider socket marks to be information that's private to the
app, then it's appropriate to restrict access to them to NET_ADMIN. I
thought it prudent to do so, particularly since only applications with
NET_ADMIN can set marks in the first place.
Note that a process with NET_ADMIN can already determine the mark of
any given socket (as long as that socket sends a packet) by installing
32 iptables rules that exactly match the socket's 5-tuple and where
each rule checks one bit in the mark. So this patch doesn't expose any
information that was not previously available.
next prev parent reply other threads:[~2016-08-24 15:03 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-24 6:46 [PATCH net-next v2 1/2] net: diag: slightly refactor the inet_diag_bc_audit error checks Lorenzo Colitti
2016-08-24 6:46 ` [PATCH net-next v2 2/2] net: diag: allow socket bytecode filters to match socket marks Lorenzo Colitti
2016-08-24 14:35 ` David Ahern
2016-08-24 15:03 ` Lorenzo Colitti [this message]
2016-08-24 15:14 ` David Ahern
2016-08-25 4:57 ` David Miller
2016-08-24 14:16 ` [PATCH net-next v2 1/2] net: diag: slightly refactor the inet_diag_bc_audit error checks David Ahern
2016-08-25 4:57 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAKD1Yr35Tvi03fpE14j0dk8DuhAWs6KRekd3DzOeq7Hf97CUJg@mail.gmail.com \
--to=lorenzo@google.com \
--cc=davem@davemloft.net \
--cc=dsa@cumulusnetworks.com \
--cc=ek@google.com \
--cc=eric.dumazet@gmail.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).