All geek questions in one place

How do Netlink and security interact with each other?

I understand that Netlink is a modern and proper way to link the kernel and user space on Linux.

I have a kernel module that needs to be configured, so I use Netlink to talk to the user space application.

Everything works wonders, but it seems to me that any user can talk with my module. I could block the application using permissions, etc., But the project is Open Source, so any user can easily compile the application for user space. Ergo, any user can configure my kernel. And this is not very good with me.

I seem to be missing something very important here, but the Netlink documentation I find is all about how to make it work, not how it works in the real world.

How can I restrict access to a Netlink socket? If this is not possible, what else can be done about this?

+4
source share
1 answer

Facepalm

From RFC 3549:

Netlink lives in a trusted environment of a single host, separated by a kernel and user space. Linux features ensure that only someone with CAP_NET_ADMIN capabilities (usually the root user) is allowed to open sockets.

The core is supposed to be the one who reports whether the module should continue to work or not, not Netlink. OBVIOUSLY.

Just block by coding in kernelspace

/* If the current thread of execution doesn't have the proper privileges... */ if (!capable(CAP_NET_ADMIN)) { /* Or CAP_SYS_ADMIN or whatever */ /* Throw this request away. */ return -EPERM;

done.

Thanks to ipclouds and tadokoro for guiding me in the right direction.

+4
source

Source: https://habr.com/ru/post/1500956/

More articles:


All Articles