Subject: Re: KAUTH_REQ_NETWORK_SOCKET_OPEN
To: David Young <dyoung@pobox.com>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-kern
Date: 02/02/2007 15:49:47
On Wed, Jan 31, 2007 at 05:08:43PM -0600, David Young wrote:
> On Wed, Jan 31, 2007 at 05:37:07PM -0500, Thor Lancelot Simon wrote:
> > On Wed, Jan 31, 2007 at 01:05:40PM -0600, David Young wrote:
> > >
> > > The rule "only root can create a raw socket, PF_ROUTE and PF_BLUETOOTH
> > > sockets excepted" is a blunt instrument for enforcing a policy on
> > > what packets a program can send and receive.
> >
> > I don't agree. I believe it's the correct policy, to prohibit non-
> > superuser programs on multiuser systems from sending arbitrary network
> > packets behind the stack's back; that we have no appropriate socket
> > interfaces to many common protocols we do wish to let nonprivileged
> > programs use is the real problem.
>
> Based on what you just wrote, I think you do agree: it is a blunt
> instrument for policy enforcement. :-)
Not if you meaen "overly blunt". It is exactly as "blunt" as it should
be: non-root users should not be able to modify arbitrary parts of packets
for _any_ protocol family. Where it is "necessary" that they do so, that
reveals that we lack in-kernel code for safely sending and receiving some
kind of higher-level protocol packet; and that is a bug.
Enforcing "less blunt" restrictions on SOCK_RAW as a workaround for that
bug is *also* a bug.
Thor