From: Leonard Crestez <cdleonard@gmail.com>
To: Eric Dumazet <edumazet@google.com>
Cc: David Ahern <dsahern@kernel.org>,
Dmitry Safonov <0x7f454c46@gmail.com>,
Francesco Ruggeri <fruggeri@arista.com>,
Salam Noureddine <noureddine@arista.com>,
Philip Paeps <philip@trouble.is>, Shuah Khan <shuah@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Herbert Xu <herbert@gondor.apana.org.au>,
Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Jakub Kicinski <kuba@kernel.org>,
Yuchung Cheng <ycheng@google.com>,
Mat Martineau <mathew.j.martineau@linux.intel.com>,
Christoph Paasch <cpaasch@apple.com>,
Ivan Delalande <colona@arista.com>,
Caowangbao <caowangbao@huawei.com>,
Priyaranjan Jha <priyarjha@google.com>,
netdev <netdev@vger.kernel.org>,
"open list:HARDWARE RANDOM NUMBER GENERATOR CORE"
<linux-crypto@vger.kernel.org>,
"open list:KERNEL SELFTEST FRAMEWORK"
<linux-kselftest@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v8 08/26] tcp: authopt: Disable via sysctl by default
Date: Wed, 7 Sep 2022 19:53:53 +0300 [thread overview]
Message-ID: <b951b8fb-f2b3-bcbb-8b7f-868b1f78f9bb@gmail.com> (raw)
In-Reply-To: <CANn89iKq4rUkCwSSD-35u+Lb8s9u-8t5bj1=aZuQ8+oYwuC-Eg@mail.gmail.com>
On 9/7/22 02:11, Eric Dumazet wrote:
> On Mon, Sep 5, 2022 at 12:06 AM Leonard Crestez <cdleonard@gmail.com> wrote:
>>
>> This is mainly intended to protect against local privilege escalations
>> through a rarely used feature so it is deliberately not namespaced.
>>
>> Enforcement is only at the setsockopt level, this should be enough to
>> ensure that the tcp_authopt_needed static key never turns on.
>>
>> No effort is made to handle disabling when the feature is already in
>> use.
>>
>> Signed-off-by: Leonard Crestez <cdleonard@gmail.com>
>> ---
>> Documentation/networking/ip-sysctl.rst | 6 ++++
>> include/net/tcp_authopt.h | 1 +
>> net/ipv4/sysctl_net_ipv4.c | 39 ++++++++++++++++++++++++++
>> net/ipv4/tcp_authopt.c | 25 +++++++++++++++++
>> 4 files changed, 71 insertions(+)
>>
>> diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst
>> index a759872a2883..41be0e69d767 100644
>> --- a/Documentation/networking/ip-sysctl.rst
>> +++ b/Documentation/networking/ip-sysctl.rst
>> @@ -1038,10 +1038,16 @@ tcp_challenge_ack_limit - INTEGER
>> Note that this per netns rate limit can allow some side channel
>> attacks and probably should not be enabled.
>> TCP stack implements per TCP socket limits anyway.
>> Default: INT_MAX (unlimited)
>>
>> +tcp_authopt - BOOLEAN
>> + Enable the TCP Authentication Option (RFC5925), a replacement for TCP
>> + MD5 Signatures (RFC2835).
>> +
>> + Default: 0
>> +
...
>> +#ifdef CONFIG_TCP_AUTHOPT
>> +static int proc_tcp_authopt(struct ctl_table *ctl,
>> + int write, void *buffer, size_t *lenp,
>> + loff_t *ppos)
>> +{
>> + int val = sysctl_tcp_authopt;
>
> val = READ_ONCE(sysctl_tcp_authopt);
>
>> + struct ctl_table tmp = {
>> + .data = &val,
>> + .mode = ctl->mode,
>> + .maxlen = sizeof(val),
>> + .extra1 = SYSCTL_ZERO,
>> + .extra2 = SYSCTL_ONE,
>> + };
>> + int err;
>> +
>> + err = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos);
>> + if (err)
>> + return err;
>> + if (sysctl_tcp_authopt && !val) {
>
> READ_ONCE(sysctl_tcp_authopt)
>
> Note that this test would still be racy, because another cpu might
> change sysctl_tcp_authopt right after the read.
What meaningful races are possible here? This is a variable that changes
from 0 to 1 at most once.
In theory if two processes attempt to assign "non-zero" at the same time
then one will "win" and the other will get an error but races between
userspace writing different values are possible for any sysctl. The
solution seems to be "write sysctls from a single place".
All the checks are in sockopts - in theory if the sysctl is written on
one CPU then a sockopt can still fail on another CPU until caches are
flushed. Is this what you're worried about?
In theory doing READ_ONCE might incur a slight penalty on sockopt but
not noticeable.
>
>> + net_warn_ratelimited("Enabling TCP Authentication Option is permanent\n");
>> + return -EINVAL;
>> + }
>> + sysctl_tcp_authopt = val;
>
> WRITE_ONCE(sysctl_tcp_authopt, val), or even better:
>
> if (val)
> cmpxchg(&sysctl_tcp_authopt, 0, val);
>
>> + return 0;
>> +}
>> +#endif
>> +
This would be useful if we did any sort of initialization here but we
don't. Crypto is initialized somewhere completely different.
next prev parent reply other threads:[~2022-09-07 16:54 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-05 7:05 [PATCH v8 00/26] tcp: Initial support for RFC5925 auth option Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 01/26] tcp: authopt: Initial support and key management Leonard Crestez
2022-09-06 22:57 ` Eric Dumazet
2022-09-07 16:19 ` Leonard Crestez
2022-09-07 16:28 ` Eric Dumazet
2022-09-07 18:09 ` Leonard Crestez
2022-09-08 6:35 ` Paolo Abeni
2022-09-08 10:47 ` Leonard Crestez
2022-09-08 10:53 ` David Ahern
2022-09-05 7:05 ` [PATCH v8 02/26] docs: Add user documentation for tcp_authopt Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 03/26] tcp: authopt: Add crypto initialization Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 04/26] tcp: Refactor tcp_sig_hash_skb_data for AO Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 05/26] tcp: authopt: Compute packet signatures Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 06/26] tcp: Refactor tcp_inbound_md5_hash into tcp_inbound_sig_hash Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 07/26] tcp: authopt: Hook into tcp core Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 08/26] tcp: authopt: Disable via sysctl by default Leonard Crestez
2022-09-06 23:11 ` Eric Dumazet
2022-09-07 16:53 ` Leonard Crestez [this message]
2022-09-07 17:04 ` Eric Dumazet
2022-09-07 17:58 ` Leonard Crestez
2022-09-07 22:49 ` Herbert Xu
2022-09-07 22:58 ` Eric Dumazet
2022-09-05 7:05 ` [PATCH v8 09/26] tcp: authopt: Implement Sequence Number Extension Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 10/26] tcp: ipv6: Add AO signing for tcp_v6_send_response Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 11/26] tcp: authopt: Add support for signing skb-less replies Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 12/26] tcp: ipv4: Add AO signing for " Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 13/26] tcp: authopt: Add NOSEND/NORECV flags Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 14/26] tcp: authopt: Add initial l3index support Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 15/26] tcp: authopt: Add prefixlen support Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 16/26] tcp: authopt: Add send/recv lifetime support Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 17/26] tcp: authopt: Add key selection controls Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 18/26] tcp: authopt: Add v4mapped ipv6 address support Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 19/26] tcp: authopt: Add /proc/net/tcp_authopt listing all keys Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 20/26] tcp: authopt: If no keys are valid for send report an error Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 21/26] tcp: authopt: Try to respect rnextkeyid from SYN on SYNACK Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 22/26] tcp: authopt: Initial support for TCP_AUTHOPT_FLAG_ACTIVE Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 23/26] tcp: authopt: Initial implementation of TCP_REPAIR_AUTHOPT Leonard Crestez
2022-09-05 7:06 ` [PATCH v8 24/26] selftests: nettest: Rename md5_prefix to key_addr_prefix Leonard Crestez
2022-09-05 7:06 ` [PATCH v8 25/26] selftests: nettest: Initial tcp_authopt support Leonard Crestez
2022-09-05 7:06 ` [PATCH v8 26/26] selftests: net/fcnal: " Leonard Crestez
2022-09-09 21:41 ` [PATCH v8 00/26] tcp: Initial support for RFC5925 auth option Salam Noureddine
2022-11-28 14:06 ` Leonard Crestez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b951b8fb-f2b3-bcbb-8b7f-868b1f78f9bb@gmail.com \
--to=cdleonard@gmail.com \
--cc=0x7f454c46@gmail.com \
--cc=caowangbao@huawei.com \
--cc=colona@arista.com \
--cc=cpaasch@apple.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=fruggeri@arista.com \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.co.jp \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=mathew.j.martineau@linux.intel.com \
--cc=netdev@vger.kernel.org \
--cc=noureddine@arista.com \
--cc=philip@trouble.is \
--cc=priyarjha@google.com \
--cc=shuah@kernel.org \
--cc=ycheng@google.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).