On Mon, Nov 4, 2024 at 8:19 AM Jakub Kicinski <kuba@xxxxxxxxxx> wrote: > > On Sun, 3 Nov 2024 22:25:44 -0800 Li Li wrote: > > > You're trying to register multiple families with different names? > > > The family defines the language / protocol. If you have multiple > > > entities to multiplex you should do that based on attributes inside > > > the messages. > > > > My initial plan was to use a single "binder" family, which was more > > straightforward and cleaner. As Android uses multiple binder contexts > > to isolate system framework and vendor domains[1], Grek KH suggested > > the netlink messages from different binder contexts should also be > > isolated for security reason[2]. Personally I'm fine with either > > approach. Please kindly advice which implementation is better. > > > > And I'll fix other issues you mentioned above. > > Greg is obviously right, but using different family names will not help > you in any way. There is no action of "opening" a socket for a generic > netlink family, one generic netlink socket can talk to all families. > The only built in checking netlink provides is that you can declare > an operation as requiring admin privileges, or network capability > (namespaced or global). > > Unless those are good enough for you - I think you should do all > the security isolation within your code, manually. That's why binder genl uses unicast instead of multicast. The administration process of the OS (Android in this case) always runs before any other user applications, which registers itself to the kernel binder driver and uses it exclusively. With a unified family name, the same userspace admin process has access to all binder contexts. With separate family names, each domain admin process can register itself to the corresponding binder context. So, do you think the current implementation of registering multiple families with different names acceptable? Or is there a better way to do it? Thank you very much!
