Re: [PATCH v3 6/7] netlink: Add multicast group level permissions

From: Anjali Kulkarni
Date: Fri Mar 31 2023 - 13:01:22 EST

Next message: Alexei Starovoitov: "Re: [PATCH bpf-next 1/3] bpf: Make struct task_struct an RCU-safe type"
Previous message: Eric Dumazet: "Re: [PATCH] net: netcp: MAX_SKB_FRAGS is now 'int'"
In reply to: Jakub Kicinski: "Re: [PATCH v3 6/7] netlink: Add multicast group level permissions"
Next in thread: Jakub Kicinski: "Re: [PATCH v3 6/7] netlink: Add multicast group level permissions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Mar 30, 2023, at 11:39 PM, Jakub Kicinski <kuba@xxxxxxxxxx> wrote:
>
> On Wed, 29 Mar 2023 11:25:42 -0700 Anjali Kulkarni wrote:
>> A new field perm_groups is added in netlink_sock to store the protocol's
>> multicast group access permissions. This is to allow for a more fine
>> grained access control than just at the protocol level. These
>> permissions can be supplied by the protocol via the netlink_kernel_cfg.
>> A new function netlink_multicast_allowed() is added, which checks if
>> the protocol's multicast group has non-root access before allowing bind.
>
> Is there a reason this is better than implementing .bind
> in the connector family and filtering there?

Are you suggesting adding something like a new struct proto_ops for the connector family? I have not looked into that, though that would seem like a lot of work, and also I have not seen any infra structure to call into protocol specific bind from netlink bind?

Next message: Alexei Starovoitov: "Re: [PATCH bpf-next 1/3] bpf: Make struct task_struct an RCU-safe type"
Previous message: Eric Dumazet: "Re: [PATCH] net: netcp: MAX_SKB_FRAGS is now 'int'"
In reply to: Jakub Kicinski: "Re: [PATCH v3 6/7] netlink: Add multicast group level permissions"
Next in thread: Jakub Kicinski: "Re: [PATCH v3 6/7] netlink: Add multicast group level permissions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]