From: Leonard Crestez <cdleonard@gmail.com>
To: Dmitry Safonov <0x7f454c46@gmail.com>,
David Ahern <dsahern@kernel.org>, Shuah Khan <shuah@kernel.org>
Cc: Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>,
Herbert Xu <herbert@gondor.apana.org.au>,
Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Jakub Kicinski <kuba@kernel.org>,
Yuchung Cheng <ycheng@google.com>,
Francesco Ruggeri <fruggeri@arista.com>,
Mat Martineau <mathew.j.martineau@linux.intel.com>,
Christoph Paasch <cpaasch@apple.com>,
Ivan Delalande <colona@arista.com>,
Priyaranjan Jha <priyarjha@google.com>,
Menglong Dong <dong.menglong@zte.com.cn>,
netdev@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH 08/19] tcp: authopt: Disable via sysctl by default
Date: Tue, 21 Sep 2021 19:14:51 +0300 [thread overview]
Message-ID: <b0abf2b789220708011a862a892c37b0fd76dc25.1632240523.git.cdleonard@gmail.com> (raw)
In-Reply-To: <cover.1632240523.git.cdleonard@gmail.com>
This is mainly intended to protect against local privilege escalations
through a rarely used feature so it is deliberately not namespaced.
Enforcement is only at the setsockopt level, this should be enough to
ensure that the tcp_authopt_needed static key never turns on.
No effort is made to handle disabling when the feature is already in
use.
Signed-off-by: Leonard Crestez <cdleonard@gmail.com>
---
Documentation/networking/ip-sysctl.rst | 6 ++++++
include/net/tcp_authopt.h | 1 +
net/ipv4/sysctl_net_ipv4.c | 10 ++++++++++
net/ipv4/tcp_authopt.c | 11 +++++++++++
4 files changed, 28 insertions(+)
diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst
index d91ab28718d4..16e34268ecb4 100644
--- a/Documentation/networking/ip-sysctl.rst
+++ b/Documentation/networking/ip-sysctl.rst
@@ -995,10 +995,16 @@ tcp_rx_skb_cache - BOOLEAN
on systems with a lot of TCP sockets, since it increases
memory usage.
Default: 0 (disabled)
+tcp_authopt - BOOLEAN
+ Enable the TCP Authentication Option (RFC5925), a replacement for TCP
+ MD5 Signatures (RFC2835).
+
+ Default: 0
+
UDP variables
=============
udp_l3mdev_accept - BOOLEAN
Enabling this option allows a "global" bound socket to work
diff --git a/include/net/tcp_authopt.h b/include/net/tcp_authopt.h
index 263f98c3a1a8..422f0034d32b 100644
--- a/include/net/tcp_authopt.h
+++ b/include/net/tcp_authopt.h
@@ -51,10 +51,11 @@ struct tcp_authopt_info {
u32 src_isn;
u32 dst_isn;
};
#ifdef CONFIG_TCP_AUTHOPT
+extern int sysctl_tcp_authopt;
DECLARE_STATIC_KEY_FALSE(tcp_authopt_needed);
void tcp_authopt_free(struct sock *sk, struct tcp_authopt_info *info);
void tcp_authopt_clear(struct sock *sk);
int tcp_set_authopt(struct sock *sk, sockptr_t optval, unsigned int optlen);
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 4680268f2e59..365466fbca8b 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -17,10 +17,11 @@
#include <net/udp.h>
#include <net/cipso_ipv4.h>
#include <net/ping.h>
#include <net/protocol.h>
#include <net/netevent.h>
+#include <net/tcp_authopt.h>
static int two = 2;
static int three __maybe_unused = 3;
static int four = 4;
static int thousand = 1000;
@@ -595,10 +596,19 @@ static struct ctl_table ipv4_table[] = {
.procname = "tcp_tx_skb_cache",
.data = &tcp_tx_skb_cache_key.key,
.mode = 0644,
.proc_handler = proc_do_static_key,
},
+#ifdef CONFIG_TCP_AUTHOPT
+ {
+ .procname = "tcp_authopt",
+ .data = &sysctl_tcp_authopt,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ },
+#endif
{ }
};
static struct ctl_table ipv4_net_table[] = {
{
diff --git a/net/ipv4/tcp_authopt.c b/net/ipv4/tcp_authopt.c
index 0c32b8fb1d41..41f844d5d49a 100644
--- a/net/ipv4/tcp_authopt.c
+++ b/net/ipv4/tcp_authopt.c
@@ -3,10 +3,15 @@
#include <linux/kernel.h>
#include <net/tcp.h>
#include <net/tcp_authopt.h>
#include <crypto/hash.h>
+/* This is mainly intended to protect against local privilege escalations through
+ * a rarely used feature so it is deliberately not namespaced.
+ */
+int sysctl_tcp_authopt;
+
/* This is enabled when first struct tcp_authopt_info is allocated and never released */
DEFINE_STATIC_KEY_FALSE(tcp_authopt_needed);
/* only for CONFIG_IPV6=m */
EXPORT_SYMBOL(tcp_authopt_needed);
@@ -361,10 +366,12 @@ int tcp_set_authopt(struct sock *sk, sockptr_t optval, unsigned int optlen)
struct tcp_authopt opt;
struct tcp_authopt_info *info;
int err;
sock_owned_by_me(sk);
+ if (!sysctl_tcp_authopt)
+ return -EPERM;
err = _copy_from_sockptr_tolerant((u8*)&opt, sizeof(opt), optval, optlen);
if (err)
return err;
@@ -384,10 +391,12 @@ int tcp_get_authopt_val(struct sock *sk, struct tcp_authopt *opt)
{
struct tcp_sock *tp = tcp_sk(sk);
struct tcp_authopt_info *info;
sock_owned_by_me(sk);
+ if (!sysctl_tcp_authopt)
+ return -EPERM;
memset(opt, 0, sizeof(*opt));
info = rcu_dereference_check(tp->authopt_info, lockdep_sock_is_held(sk));
if (!info)
return -ENOENT;
@@ -452,10 +461,12 @@ int tcp_set_authopt_key(struct sock *sk, sockptr_t optval, unsigned int optlen)
struct tcp_authopt_key_info *key_info, *old_key_info;
struct tcp_authopt_alg_imp *alg;
int err;
sock_owned_by_me(sk);
+ if (!sysctl_tcp_authopt)
+ return -EPERM;
err = _copy_from_sockptr_tolerant((u8*)&opt, sizeof(opt), optval, optlen);
if (err)
return err;
--
2.25.1
next prev parent reply other threads:[~2021-09-21 16:17 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-21 16:14 [PATCH 00/19] tcp: Initial support for RFC5925 auth option Leonard Crestez
2021-09-21 16:14 ` [PATCH 01/19] tcp: authopt: Initial support and key management Leonard Crestez
2021-09-21 16:14 ` [PATCH 02/19] docs: Add user documentation for tcp_authopt Leonard Crestez
2021-09-21 16:14 ` [PATCH 03/19] selftests: Initial tcp_authopt test module Leonard Crestez
2021-09-21 16:14 ` [PATCH 04/19] selftests: tcp_authopt: Initial sockopt manipulation Leonard Crestez
2021-09-21 16:14 ` [PATCH 05/19] tcp: authopt: Add crypto initialization Leonard Crestez
2021-09-21 16:14 ` [PATCH 06/19] tcp: authopt: Compute packet signatures Leonard Crestez
2021-09-21 16:14 ` [PATCH 07/19] tcp: authopt: Hook into tcp core Leonard Crestez
2021-09-21 16:14 ` Leonard Crestez [this message]
2021-09-25 1:57 ` [PATCH 08/19] tcp: authopt: Disable via sysctl by default David Ahern
2021-09-25 14:14 ` Leonard Crestez
2021-09-21 16:14 ` [PATCH 09/19] selftests: tcp_authopt: Test key address binding Leonard Crestez
2021-09-21 16:14 ` [PATCH 10/19] tcp: ipv6: Add AO signing for tcp_v6_send_response Leonard Crestez
2021-09-21 16:14 ` [PATCH 11/19] tcp: authopt: Add support for signing skb-less replies Leonard Crestez
2021-09-21 16:14 ` [PATCH 12/19] tcp: ipv4: Add AO signing for " Leonard Crestez
2021-09-21 16:14 ` [PATCH 13/19] selftests: tcp_authopt: Add scapy-based packet signing code Leonard Crestez
2021-09-21 16:14 ` [PATCH 14/19] selftests: tcp_authopt: Add packet-level tests Leonard Crestez
2021-09-21 16:14 ` [PATCH 15/19] selftests: Initial tcp_authopt support for nettest Leonard Crestez
2021-09-21 16:14 ` [PATCH 16/19] selftests: Initial tcp_authopt support for fcnal-test Leonard Crestez
2021-09-21 16:15 ` [PATCH 17/19] selftests: Add -t tcp_authopt option for fcnal-test.sh Leonard Crestez
2021-09-25 1:52 ` David Ahern
2021-09-25 14:38 ` Leonard Crestez
2021-09-21 16:15 ` [PATCH 18/19] tcp: authopt: Add key selection controls Leonard Crestez
2021-09-21 16:15 ` [PATCH 19/19] selftests: tcp_authopt: Add tests for rollover Leonard Crestez
2021-09-21 23:13 ` [PATCH 00/19] tcp: Initial support for RFC5925 auth option Jakub Kicinski
2021-09-23 7:49 ` Leonard Crestez
2021-09-23 13:58 ` Jakub Kicinski
2021-09-25 14:25 ` Leonard Crestez
2021-09-22 20:23 ` Francesco Ruggeri
2021-09-23 7:38 ` Leonard Crestez
2021-09-25 1:35 ` David Ahern
2021-09-25 14:21 ` Leonard Crestez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b0abf2b789220708011a862a892c37b0fd76dc25.1632240523.git.cdleonard@gmail.com \
--to=cdleonard@gmail.com \
--cc=0x7f454c46@gmail.com \
--cc=colona@arista.com \
--cc=cpaasch@apple.com \
--cc=davem@davemloft.net \
--cc=dong.menglong@zte.com.cn \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=fruggeri@arista.com \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.co.jp \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=mathew.j.martineau@linux.intel.com \
--cc=netdev@vger.kernel.org \
--cc=priyarjha@google.com \
--cc=shuah@kernel.org \
--cc=ycheng@google.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.