Re: Is ndo_do_ioctl still acceptable?

From: Stephen Hemminger
Date: Thu Nov 12 2015 - 17:27:15 EST

On Thu, 12 Nov 2015 23:19:06 +0100
"Jason A. Donenfeld" <Jason@xxxxxxxxx> wrote:

> On Thu, Nov 12, 2015 at 9:30 PM, Austin S Hemmelgarn
> <ahferroin7@xxxxxxxxx> wrote:
> >>
> > On the other hand, based on what you are saying about your device, it sounds
> > like you are working on some kind of cryptographically secured (either
> > authenticated or encrypted or both) tunnel, in which case the fact that
> > security is easier to handle with netlink than ioctls becomes important. If
> > you can't ensure security of the endpoint configuration, you can't ensure
> > security of the tunnel itself.
> Could you substantiate these claims that "security is easier to handle
> with netlink". I've never heard this and I don't know why it'd be the
> case. Are you referring to the fact that the copy_to/from_user dance
> of ioctl opens up more potential vulnerabilities than netlink's
> abstracted validation? Or something else? Just confused here...

It means that with netlink it possible to checks on field types and lengths
in generic manner. Ioctl's have the whole compat mess to deal with.
Also when using seccomp it is possible to write code to look at netlink
messages. With ioctl's that is much more difficult especially since the
same ioctl may have different meanings for each device type.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at