Re: [PATCH bpf-next] xsk: honor SO_BINDTODEVICE on bind

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7/4/23 4:31 AM, Jason Wang wrote:
On Tue, Jul 4, 2023 at 1:53 AM Ilya Maximets <i.maximets@xxxxxxx> wrote:

Initial creation of an AF_XDP socket requires CAP_NET_RAW capability.
A privileged process might create the socket and pass it to a
non-privileged process for later use.  However, that process will be
able to bind the socket to any network interface.  Even though it will
not be able to receive any traffic without modification of the BPF map,
the situation is not ideal.

Sockets already have a mechanism that can be used to restrict what
interface they can be attached to.  That is SO_BINDTODEVICE.

To change the SO_BINDTODEVICE binding the process will need CAP_NET_RAW.

Make xsk_bind() honor the SO_BINDTODEVICE in order to allow safer
workflow when non-privileged process is using AF_XDP.

The intended workflow is following:

   1. First process creates a bare socket with socket(AF_XDP, ...).
   2. First process loads the XSK program to the interface.
   3. First process adds the socket fd to a BPF map.
   4. First process ties socket fd to a particular interface using
      SO_BINDTODEVICE.
   5. First process sends socket fd to a second process.
   6. Second process allocates UMEM.
   7. Second process binds socket to the interface with bind(...).
   8. Second process sends/receives the traffic.

All the steps above are possible today if the first process is
privileged and the second one has sufficient RLIMIT_MEMLOCK and no
capabilities.  However, the second process will be able to bind the
socket to any interface it wants on step 7 and send traffic from it.
With the proposed change, the second process will be able to bind
the socket only to a specific interface chosen by the first process
at step 4.

Acked-by: Magnus Karlsson <magnus.karlsson@xxxxxxxxx>
Signed-off-by: Ilya Maximets <i.maximets@xxxxxxx>

Acked-by: Jason Wang <jasowang@xxxxxxxxxx>

Is this a stable material or not?

To me this is a bug rather than 'feature', so I applied it to bpf tree and
also added Fixes tag. Thanks everyone!



[Index of Archives]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]     [Linux Resources]

  Powered by Linux