Re: [PATCH v2 2/2] net: socket: implement SO_DESCRIPTION
From: Pascal Bouchareine
Date: Sun Aug 23 2020 - 18:28:53 EST
On Sat, Aug 22, 2020 at 2:01 PM David Miller <davem@xxxxxxxxxxxxx> wrote:
> > About the pid part -
> > On top of multiple pids to scan for a given socket, there's also the
> > security provided by /proc - I'm not sure what inet_diag does for that
> > So maybe users calling it will need to scan /proc for a long time anyway...
> >
> > Or is that doable?
>
> I'd like to kindly ask that you do more research into how this kind of
> information is advertised to the user using modern interfaces, and what
> kinds of permissions and checks are done for those.
If we wanted to get rid of having to scan /proc from userland when
using sock_diag to identify associated processes,
I suppose scanning for pids would be the most annoying part?
I understand sock_diag uses CAP_NET_ADMIN for some sensitive bits.
I thought it would require an additional bit of logic to let an
unprivileged user access its own socket "sensitive" data.
Your message makes me think I need to read a lot more about it, so
I'll try that - but more importantly
as you mention APIs and modern interfaces, I think eBPF is going to be
of great help to try and hack
around this data without disturbing existing APIs.
Thanks for taking the time to look into it