On Sat, Aug 22, 2020 at 2:01 PM David Miller <davem@xxxxxxxxxxxxx> wrote: > > About the pid part - > > On top of multiple pids to scan for a given socket, there's also the > > security provided by /proc - I'm not sure what inet_diag does for that > > So maybe users calling it will need to scan /proc for a long time anyway... > > > > Or is that doable? > > I'd like to kindly ask that you do more research into how this kind of > information is advertised to the user using modern interfaces, and what > kinds of permissions and checks are done for those. If we wanted to get rid of having to scan /proc from userland when using sock_diag to identify associated processes, I suppose scanning for pids would be the most annoying part? I understand sock_diag uses CAP_NET_ADMIN for some sensitive bits. I thought it would require an additional bit of logic to let an unprivileged user access its own socket "sensitive" data. Your message makes me think I need to read a lot more about it, so I'll try that - but more importantly as you mention APIs and modern interfaces, I think eBPF is going to be of great help to try and hack around this data without disturbing existing APIs. Thanks for taking the time to look into it
