If I'm not mistaken, CRYPTO_USER requires CAP_NET_ADMIN for all
requests. Is there any reason for this requirement for read-only requests?
I think read-only requests should not require CAP_NET_ADMIN. An example
where this is important is important is AF_ALG. I'm working on AF_ALG
support for GnuTLS, encryption and decryption via AF_ALG does not
require special capabilities. However, retrieving the cipher priority to
determine whether the cipher is hardware accelerated does require
CAP_NET_ADMIN.
Regards,
Matthias-Christian
CRYPTO_USER requires CAP_NET_ADMIN for all operations. Most information
provided by CRYPTO_MSG_GETALG is also accessible through /proc/modules
and AF_ALG. CRYPTO_MSG_GETALG should not require CAP_NET_ADMIN so that
processes without CAP_NET_ADMIN can use CRYPTO_MSG_GETALG to get cipher
details, such as cipher priorities, for AF_ALG.
Signed-off-by: Matthias-Christian Ott <[email protected]>
---
crypto/crypto_user.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
On Friday, April 25, 2014 at 12:51:06 AM, Matthias-Christian Ott wrote:
> CRYPTO_USER requires CAP_NET_ADMIN for all operations. Most information
> provided by CRYPTO_MSG_GETALG is also accessible through /proc/modules
> and AF_ALG. CRYPTO_MSG_GETALG should not require CAP_NET_ADMIN so that
> processes without CAP_NET_ADMIN can use CRYPTO_MSG_GETALG to get cipher
> details, such as cipher priorities, for AF_ALG.
>
> Signed-off-by: Matthias-Christian Ott <[email protected]>
> ---
> crypto/crypto_user.c | 12 +++++++++---
> 1 file changed, 9 insertions(+), 3 deletions(-)
Can you please submit the patch using git send-email so we can properly review
it?
Thank you !
Best regards,
Marek Vasut
On 04/28/14 23:37, Marek Vasut wrote:
> On Friday, April 25, 2014 at 12:51:06 AM, Matthias-Christian Ott wrote:
>> CRYPTO_USER requires CAP_NET_ADMIN for all operations. Most information
>> provided by CRYPTO_MSG_GETALG is also accessible through /proc/modules
>> and AF_ALG. CRYPTO_MSG_GETALG should not require CAP_NET_ADMIN so that
>> processes without CAP_NET_ADMIN can use CRYPTO_MSG_GETALG to get cipher
>> details, such as cipher priorities, for AF_ALG.
>>
>> Signed-off-by: Matthias-Christian Ott <[email protected]>
>> ---
>> crypto/crypto_user.c | 12 +++++++++---
>> 1 file changed, 9 insertions(+), 3 deletions(-)
>
> Can you please submit the patch using git send-email so we can properly review
> it?
git-send-email or more specifically Net::SMTP only works with IPv4. The
SMTP server I use for submission only listens IPv6 addresses. Moreover,
TLS seems broken. I patched Net::SMTP to use IO::Socket::INET6 but gave
up because of the TLS issues and used git format-patch and git imap-send.
Regards,
Matthias-Christian
On Wednesday, April 30, 2014 at 09:23:40 PM, Matthias-Christian Ott wrote:
> On 04/28/14 23:37, Marek Vasut wrote:
> > On Friday, April 25, 2014 at 12:51:06 AM, Matthias-Christian Ott wrote:
> >> CRYPTO_USER requires CAP_NET_ADMIN for all operations. Most information
> >> provided by CRYPTO_MSG_GETALG is also accessible through /proc/modules
> >> and AF_ALG. CRYPTO_MSG_GETALG should not require CAP_NET_ADMIN so that
> >> processes without CAP_NET_ADMIN can use CRYPTO_MSG_GETALG to get cipher
> >> details, such as cipher priorities, for AF_ALG.
> >>
> >> Signed-off-by: Matthias-Christian Ott <[email protected]>
> >> ---
> >>
> >> crypto/crypto_user.c | 12 +++++++++---
> >> 1 file changed, 9 insertions(+), 3 deletions(-)
> >
> > Can you please submit the patch using git send-email so we can properly
> > review it?
>
> git-send-email or more specifically Net::SMTP only works with IPv4. The
> SMTP server I use for submission only listens IPv6 addresses. Moreover,
> TLS seems broken. I patched Net::SMTP to use IO::Socket::INET6 but gave
> up because of the TLS issues and used git format-patch and git imap-send.
You can always set up a separate mailserver or use one of the many free-to-use
mailservers to follow the agreed-upon submission process, right?
Of course, patches for Net::SMTP are welcome.
Best regards,
Marek Vasut
On 05/01/14 12:53, Marek Vasut wrote:
> On Wednesday, April 30, 2014 at 09:23:40 PM, Matthias-Christian Ott wrote:
>> On 04/28/14 23:37, Marek Vasut wrote:
>>> On Friday, April 25, 2014 at 12:51:06 AM, Matthias-Christian Ott wrote:
>>>> CRYPTO_USER requires CAP_NET_ADMIN for all operations. Most information
>>>> provided by CRYPTO_MSG_GETALG is also accessible through /proc/modules
>>>> and AF_ALG. CRYPTO_MSG_GETALG should not require CAP_NET_ADMIN so that
>>>> processes without CAP_NET_ADMIN can use CRYPTO_MSG_GETALG to get cipher
>>>> details, such as cipher priorities, for AF_ALG.
>>>>
>>>> Signed-off-by: Matthias-Christian Ott <[email protected]>
>>>> ---
>>>>
>>>> crypto/crypto_user.c | 12 +++++++++---
>>>> 1 file changed, 9 insertions(+), 3 deletions(-)
>>>
>>> Can you please submit the patch using git send-email so we can properly
>>> review it?
>>
>> git-send-email or more specifically Net::SMTP only works with IPv4. The
>> SMTP server I use for submission only listens IPv6 addresses. Moreover,
>> TLS seems broken. I patched Net::SMTP to use IO::Socket::INET6 but gave
>> up because of the TLS issues and used git format-patch and git imap-send.
>
> You can always set up a separate mailserver or use one of the many free-to-use
> mailservers to follow the agreed-upon submission process, right?
I don't comment on this statement to keep this discussion focused (send
me a private email if you want to discuss it).
I did try to submit the email directly (with SPF disabled) from git
send-email to vger.kernel.org but vger.kernel.org uses greylisting, so I
can't help you with that.
Can you simply copy the file that was attached on the first email I
sent, save it to the filesystem and simply commit it in git? You would
have to do this anyway if I filed a bug in the Kernel Bug Tracker. So
there is an ?agreed-upon submission process? to commit a file.
> Of course, patches for Net::SMTP are welcome.
I reported the bug and someone who actually knows Perl is working on it.
On Thu, Apr 24, 2014 at 10:51:06PM +0000, Matthias-Christian Ott wrote:
>
> CRYPTO_USER requires CAP_NET_ADMIN for all operations. Most information
> provided by CRYPTO_MSG_GETALG is also accessible through /proc/modules
> and AF_ALG. CRYPTO_MSG_GETALG should not require CAP_NET_ADMIN so that
> processes without CAP_NET_ADMIN can use CRYPTO_MSG_GETALG to get cipher
> details, such as cipher priorities, for AF_ALG.
>
> Signed-off-by: Matthias-Christian Ott <[email protected]>
Patch applied.
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt