Re: [PATCH 4/5] connector/cn_proc: Allow non-root users access

From: Anjali Kulkarni
Date: Fri Mar 10 2023 - 15:48:28 EST




________________________________________
From: Christian Brauner <brauner@xxxxxxxxxx>
Sent: Thursday, March 9, 2023 9:09 AM
To: Anjali Kulkarni
Cc: davem@xxxxxxxxxxxxx; edumazet@xxxxxxxxxx; kuba@xxxxxxxxxx; pabeni@xxxxxxxxxx; zbr@xxxxxxxxxxx; johannes@xxxxxxxxxxxxxxxx; ecree.xilinx@xxxxxxxxx; leon@xxxxxxxxxx; keescook@xxxxxxxxxxxx; socketcan@xxxxxxxxxxxx; petrm@xxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; netdev@xxxxxxxxxxxxxxx
Subject: Re: [PATCH 4/5] connector/cn_proc: Allow non-root users access

On Wed, Mar 08, 2023 at 07:19:52PM -0800, Anjali Kulkarni wrote:
> The patch allows non-root users to receive cn proc connector
> notifications, as anyone can normally get process start/exit status from
> /proc. The reason for not allowing non-root users to receive multicast
> messages is long gone, as described in this thread:
> https://urldefense.com/v3/__https://linux-kernel.vger.kernel.narkive.com/CpJFcnra/multicast-netlink-for-non-root-process__;!!ACWV5N9M2RV99hQ!NKjh44Qy5cy18bhIbdhHlHeA1w_i-N5u2PdbQPRTobAEUYW8ZiQ8hkOxaojiLWmq3POJ2k4DaD3CtyC9-C3Cnoo$

Sorry that thread is kinda convoluted. Could you please provide a
summary in the commit message and explain why this isn't an issue
anymore?

ANJALI> Looking into this some more, I think that instead of adding non-root access for all NETLINK_CONNECTOR users by including the flag NL_CFG_F_NONROOT_RECV, we could make this change at an even more fine grained level than protocol level. So I will add a check to enable non-root access only for event notification (cn_proc) user of NETLINK_CONNECTOR, based on the multicast group. Since CONNECTOR is very generic and could be used for varied purposes, a more fine grained approach may be required here. I will send the next patch series with this change.