From: David Ahern <dsahern@gmail.com>
To: Vincent Bernat <vincent@bernat.ch>
Cc: David Miller <davem@davemloft.net>,
netdev@vger.kernel.org, Laurent Fasnacht <fasnacht@protonmail.ch>
Subject: Re: [PATCH net-next v2] net: core: enable SO_BINDTODEVICE for non-root users
Date: Wed, 28 Oct 2020 09:22:48 -0600 [thread overview]
Message-ID: <feef6da5-efbe-6ab9-0a2e-761cd7340cf7@gmail.com> (raw)
In-Reply-To: <87tuugkui2.fsf@bernat.ch>
On 10/27/20 1:17 AM, Vincent Bernat wrote:
> ❦ 23 octobre 2020 08:40 -06, David Ahern:
>
>>> I am wondering if we should revert the patch for 5.10 while we can,
>>> waiting for a better solution (and breaking people relying on the new
>>> behavior in 5.9).
>>>
>>> Then, I can propose a patch with a sysctl to avoid breaking existing
>>> setups.
>>>
>>
>> I have not walked the details, but it seems like a security policy can
>> be installed to get the previous behavior.
>
> libtorrent is using SO_BINDTODEVICE for some reason (code is quite old,
> so not git history). Previously, the call was unsuccesful and the error
> was logged and ignored. Now, it succeeds and circumvent the routing
> policy. Using Netfiler does not help as libtorrent won't act on dropped
> packets as the socket is already configured on the wrong interface.
> kprobe is unable to modify a syscall and seccomp cannot be applied
> globally. LSM are usually distro specific. What kind of security policy
> do you have in mind?
>
nothing specific; I was hand waving.
There are bpf hooks to set and unset socket options, but those seem
inconvenient here.
I guess a sysctl is the only practical solution. If you do that we
should have granularity - any device, l3mdev devices only, ...
prev parent reply other threads:[~2020-10-28 23:02 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-31 13:20 [PATCH net-next v2] net: core: enable SO_BINDTODEVICE for non-root users Vincent Bernat
2020-04-02 17:31 ` David Ahern
2020-04-03 0:47 ` David Miller
2020-10-23 10:02 ` Vincent Bernat
2020-10-23 14:40 ` David Ahern
2020-10-27 7:17 ` Vincent Bernat
2020-10-28 15:22 ` David Ahern [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=feef6da5-efbe-6ab9-0a2e-761cd7340cf7@gmail.com \
--to=dsahern@gmail.com \
--cc=davem@davemloft.net \
--cc=fasnacht@protonmail.ch \
--cc=netdev@vger.kernel.org \
--cc=vincent@bernat.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).