Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp8058044ybi; Tue, 9 Jul 2019 08:29:02 -0700 (PDT) X-Google-Smtp-Source: APXvYqyHegmvZ8S1r5WTJYKWPLd7gzCFI9gTX4n2ur8eLWU7P5fAC9AtMlV+CclW8N8vN/oRXZtK X-Received: by 2002:a63:2355:: with SMTP id u21mr30610315pgm.205.1562686141988; Tue, 09 Jul 2019 08:29:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562686141; cv=none; d=google.com; s=arc-20160816; b=kt/BAqQRDknJhe4cF91gIaxr/uRSQtBinFCO7DHbvV96TSFxUyhYWLzML6PwmMZWqN MM1pNM+I8k367l0R3b6m4CLMNj9O2a3KccSpbkCKn65WJ+GPj+YXcO/SHqj5h1wZaK96 WtScgf5tJ81EnpBMPL5Ln5pAIdnhgHtU3+kLup7+yJKaMGo/k9RYJSeGnTaI+o3TJdon GSRM2QwKaatvXRaBA4hRgmlpDVgCqJfi+fW1yIJYQn0CCFDHNrGxEmmGZIWpa2cWt5sa SI8CtzEl5Fc5eI6RuWgPotmOe2yGs2n6icS1pM02VN0DAbGkXkGU+gUZvhscR7ntYLJp C84A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version; bh=k11beIh+mUjVLzYG9THhXh88Pf5mHCqf97+Kp/bxHkE=; b=jLqsnpQQoe8+cPYDp5xcnPUvDJnh8LYJYpwU8/gQZULukZaFNq6MlqqHXycTQqZTxR 9Xjv5YwcP1w0Gm+k9c9mz4i0Nx+faOZm6RT3bAXIP42VKMSpkse7rmP3w3aDOK9GxoDG C1klsVyE5mrDFT6HLhhPeqqfNTr5H/MNfoUpQMFIjIQXPO0uGTY7YxoWYb6i8FswqY7p wslYFIGyqEWJguA6/woY3HDpj2OkbBLIKjCaQzNtiVADVVBWYUmTbNT7taMWRvIZmMER U4xROdmKNCHQENKLymhsqK0iEf1fu2eDJZqUuGTMnofgqElCU0l0lWu+/IoG/omwXykZ artQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t137si23674873pgc.49.2019.07.09.08.28.48; Tue, 09 Jul 2019 08:29:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726232AbfGIP2r (ORCPT + 99 others); Tue, 9 Jul 2019 11:28:47 -0400 Received: from mail-oi1-f196.google.com ([209.85.167.196]:45262 "EHLO mail-oi1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726055AbfGIP2r (ORCPT ); Tue, 9 Jul 2019 11:28:47 -0400 Received: by mail-oi1-f196.google.com with SMTP id m206so15635535oib.12 for ; Tue, 09 Jul 2019 08:28:46 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=k11beIh+mUjVLzYG9THhXh88Pf5mHCqf97+Kp/bxHkE=; b=bWvH6ngmICH18PNMyRvm1z3Lf4DE6NErt1lZXGl6vXApxdGrWA7seElIjS8DweN5yl JorijMYtvyfWppRL0bsdedKFcj4GVEO7tbX+BeJS3krtri1XjsJCeZ3CV+0mT3jzSXdb 4YCYKokxkZkk5j9ZB3ZABn0ASRDp1fiazLKvpOb2xnQ2QlOyQUktsOoGhZzp0ZUHjdSz z0BIPjkQPKtBDA6J36IW+HjBO0f0Q5OF59DfxNoNNJcuD7vbz9IxPnaCvm/adQgt/V4q 8C8Bq/YsttKb43yRn/wCQGjsf9gaJfeEdlhr4KX60sC3fFT+CZvbssH7N7j2R301u9I7 xbNw== X-Gm-Message-State: APjAAAUHbwzG06ZAD3IRERi7SVmM2vb+zG7a9l2wdYqMRP2QFAND2bRy A4o8Imj4WZaRQ7IHmzoWGtP3PkBXFzP/8viY2AA1SA== X-Received: by 2002:aca:75c2:: with SMTP id q185mr362076oic.103.1562686126177; Tue, 09 Jul 2019 08:28:46 -0700 (PDT) MIME-Version: 1.0 References: <20190709111124.31127-1-omosnace@redhat.com> <20190709143832.hej23rahmb4basy6@gondor.apana.org.au> In-Reply-To: <20190709143832.hej23rahmb4basy6@gondor.apana.org.au> From: Ondrej Mosnacek Date: Tue, 9 Jul 2019 17:28:35 +0200 Message-ID: Subject: Re: [PATCH] crypto: user - make NETLINK_CRYPTO work inside netns To: Herbert Xu Cc: linux-crypto@vger.kernel.org, netdev@vger.kernel.org, "David S . Miller" , Stephan Mueller , Steffen Klassert , Don Zickus Content-Type: text/plain; charset="UTF-8" Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Tue, Jul 9, 2019 at 4:38 PM Herbert Xu wrote: > On Tue, Jul 09, 2019 at 01:11:24PM +0200, Ondrej Mosnacek wrote: > > Currently, NETLINK_CRYPTO works only in the init network namespace. It > > doesn't make much sense to cut it out of the other network namespaces, > > so do the minor plumbing work necessary to make it work in any network > > namespace. Code inspired by net/core/sock_diag.c. > > > > Tested using kcapi-dgst from libkcapi [1]: > > Before: > > # unshare -n kcapi-dgst -c sha256 > libkcapi - Error: Netlink error: sendmsg failed > > libkcapi - Error: Netlink error: sendmsg failed > > libkcapi - Error: NETLINK_CRYPTO: cannot obtain cipher information for hmac(sha512) (is required crypto_user.c patch missing? see documentation) > > 0 > > > > After: > > # unshare -n kcapi-dgst -c sha256 > 32 > > > > [1] https://github.com/smuellerDD/libkcapi > > > > Signed-off-by: Ondrej Mosnacek > > Should we really let root inside a namespace manipulate crypto > algorithms which are global? I admit I'm not an expert on Linux namespaces, but aren't you confusing network and user namespaces? Unless I'm mistaken, these changes only affect _network_ namespaces (which only isolate the network stuff itself) and the semantics of the netlink_capable(skb, CAP_NET_ADMIN) calls remain unchanged - they check if the opener of the socket has the CAP_NET_ADMIN capability within the global _user_ namespace. > > I think we should only allow the query operations without deeper > surgery. > > Cheers, > -- > Email: Herbert Xu > Home Page: http://gondor.apana.org.au/~herbert/ > PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- Ondrej Mosnacek Software Engineer, Security Technologies Red Hat, Inc.