Re: [PATCH v4 5/7] net/tcp: Don't add key with non-matching VRF on connected sockets

From: Eric Dumazet
Date: Wed Nov 29 2023 - 12:59:40 EST

Next message: Ira Weiny: "[PATCH 0/6] efi/cxl-cper: Report CPER CXL component events through trace events"
Previous message: Eric Dumazet: "Re: [PATCH v4 4/7] net/tcp: Allow removing current/rnext TCP-AO keys on TCP_LISTEN sockets"
In reply to: Dmitry Safonov: "[PATCH v4 5/7] net/tcp: Don't add key with non-matching VRF on connected sockets"
Next in thread: Dmitry Safonov: "[PATCH v4 4/7] net/tcp: Allow removing current/rnext TCP-AO keys on TCP_LISTEN sockets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Nov 29, 2023 at 5:57 PM Dmitry Safonov <dima@xxxxxxxxxx> wrote:
>
> If the connection was established, don't allow adding TCP-AO keys that
> don't match the peer. Currently, there are checks for ip-address
> matching, but L3 index check is missing. Add it to restrict userspace
> shooting itself somewhere.
>
> Yet, nothing restricts the CAP_NET_RAW user from trying to shoot
> themselves by performing setsockopt(SO_BINDTODEVICE) or
> setsockopt(SO_BINDTOIFINDEX) over an established TCP-AO connection.
> So, this is just "minimum effort" to potentially save someone's
> debugging time, rather than a full restriction on doing weird things.
>
> Fixes: 248411b8cb89 ("net/tcp: Wire up l3index to TCP-AO")
> Signed-off-by: Dmitry Safonov <dima@xxxxxxxxxx>

Reviewed-by: Eric Dumazet <edumazet@xxxxxxxxxx>

Next message: Ira Weiny: "[PATCH 0/6] efi/cxl-cper: Report CPER CXL component events through trace events"
Previous message: Eric Dumazet: "Re: [PATCH v4 4/7] net/tcp: Allow removing current/rnext TCP-AO keys on TCP_LISTEN sockets"
In reply to: Dmitry Safonov: "[PATCH v4 5/7] net/tcp: Don't add key with non-matching VRF on connected sockets"
Next in thread: Dmitry Safonov: "[PATCH v4 4/7] net/tcp: Allow removing current/rnext TCP-AO keys on TCP_LISTEN sockets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]