We should get rid of Netlink. #75

Closed
ydahhrk opened this Issue Jan 16, 2014 · 3 comments

Comments

Projects
None yet
4 participants
@ydahhrk
Member

ydahhrk commented Jan 16, 2014

-- For the most part, at least.

Here's the background:

Which means that any user can wreck the NAT64's traffic.

Netlink is fine for querying the module (for the BIB and session databases and such), but anything configuration-related would be best left for sysctls and whatnot.

I'm tagging this as non-critical because people can work around it by not giving untrusted users access to the translator machine. As far as security goes however, it sounds quite unacceptable.

@ipclouds

This comment has been minimized.

Show comment
Hide comment
@ipclouds

ipclouds Jan 17, 2014

According to the RFC

" Netlink lives in a trusted environment of a single host separated by
kernel and user space. Linux capabilities ensure that only someone
with CAP_NET_ADMIN capability (typically, the root user) is allowed
to open sockets."

Netlink itself can handle security policies on the kernel module, with the struct genl_ops for example.

libnl, I think this is the one you're using.... has some authentication functionality with nl_socket_set_passcred

What I'm trying to say is that you guys need to be correctly validating the origin on Netlink messages. You need to secure your code and don't expect to be secure by itself.

If changing to sysctls already provides security controls for you then go ahead..

Just my 2 cents

According to the RFC

" Netlink lives in a trusted environment of a single host separated by
kernel and user space. Linux capabilities ensure that only someone
with CAP_NET_ADMIN capability (typically, the root user) is allowed
to open sockets."

Netlink itself can handle security policies on the kernel module, with the struct genl_ops for example.

libnl, I think this is the one you're using.... has some authentication functionality with nl_socket_set_passcred

What I'm trying to say is that you guys need to be correctly validating the origin on Netlink messages. You need to secure your code and don't expect to be secure by itself.

If changing to sysctls already provides security controls for you then go ahead..

Just my 2 cents

@ydahhrk

This comment has been minimized.

Show comment
Hide comment
@ydahhrk

ydahhrk Jan 20, 2014

Member

Thank you.

We'll have a look at these structures. Looks like we no longer have a reason to make a complete overhaul.

Member

ydahhrk commented Jan 20, 2014

Thank you.

We'll have a look at these structures. Looks like we no longer have a reason to make a complete overhaul.

@ydahhrk ydahhrk assigned dhfelix and patybarron and unassigned dhfelix and patybarron Feb 20, 2014

@ydahhrk

This comment has been minimized.

Show comment
Hide comment
@ydahhrk

ydahhrk Feb 21, 2014

Member

Solved and collapsed to the master branch; closing.

Member

ydahhrk commented Feb 21, 2014

Solved and collapsed to the master branch; closing.

@ydahhrk ydahhrk closed this Feb 21, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment