linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Solar Designer <solar@openwall.com>
To: Vasiliy Kulikov <segoon@openwall.com>
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
	Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>,
	Kees Cook <kees.cook@canonical.com>,
	Dan Rosenberg <dan.j.rosenberg@gmail.com>,
	Eugene Teo <eugene@redhat.com>,
	Nelson Elhage <nelhage@ksplice.com>,
	"David S. Miller" <davem@davemloft.net>,
	Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
	Pekka Savola <pekkas@netcore.fi>,
	James Morris <jmorris@namei.org>,
	Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
	Patrick McHardy <kaber@trash.net>
Subject: Re: [PATCH] net: ipv4: add IPPROTO_ICMP socket kind
Date: Tue, 12 Apr 2011 09:06:59 +0400	[thread overview]
Message-ID: <20110412050659.GA14129@openwall.com> (raw)
In-Reply-To: <20110409101514.GA4262@albatros>

On Sat, Apr 09, 2011 at 02:15:14PM +0400, Vasiliy Kulikov wrote:
> This patch adds IPPROTO_ICMP socket kind.  It makes it possible to send
> ICMP_ECHO messages and receive the corresponding ICMP_ECHOREPLY messages
> without any special privileges.  In other words, the patch makes it
> possible to implement setuid-less and CAP_NET_RAW-less /bin/ping.  In
> order not to increase the kernel's attack surface (in case of
> vulnerabilities in the newly added code), the new functionality is
> disabled by default, but is enabled at bootup by supporting Linux
> distributions, optionally with restriction to a group or a group range
...
> For Openwall GNU/*/Linux it is the last step on the road to the
> setuid-less distro.

More correctly, it _was_ the last step - we've already taken it, so a
revision of the patch (against OpenVZ/RHEL5 kernels) is currently in use.

We would really like this accepted into mainline, which is why Vasiliy
spends extra effort to keep the patch updated to current mainline
kernels and re-test it.  If there are any comments/concerns/objections,
we'd be happy to hear those.

> Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>

Acked-by: Solar Designer <solar@openwall.com>

>  include/net/netns/ipv4.h   |    2 +
>  include/net/ping.h         |   69 ++++
>  net/ipv4/Kconfig           |   21 +
>  net/ipv4/Makefile          |    1 +
>  net/ipv4/af_inet.c         |   36 ++
>  net/ipv4/icmp.c            |   14 +-
>  net/ipv4/ping.c            |  933 ++++++++++++++++++++++++++++++++++++++++++++
>  net/ipv4/sysctl_net_ipv4.c |   90 +++++
>  8 files changed, 1165 insertions(+), 1 deletions(-)

Thanks,

Alexander

  reply	other threads:[~2011-04-12  5:14 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-04-09 10:15 [PATCH] net: ipv4: add IPPROTO_ICMP socket kind Vasiliy Kulikov
2011-04-12  5:06 ` Solar Designer [this message]
2011-04-12 21:25   ` David Miller
2011-04-13 11:22     ` Vasiliy Kulikov
2011-05-05 11:32     ` Vasiliy Kulikov
2011-05-10 18:09     ` [PATCH v2] " Vasiliy Kulikov
2011-05-10 19:15       ` David Miller
2011-05-10 19:45         ` Vasiliy Kulikov
2011-05-13 20:01         ` [PATCH v3] " Vasiliy Kulikov
2011-05-13 20:08           ` David Miller
2011-05-13 21:30           ` Andi Kleen
2011-05-13 22:22             ` [PATCH net-next-2.6] net: ipv4: add ping_group_range documentation Eric Dumazet
2011-05-15  8:18           ` [PATCH net-next-2.6] net: ping: dont call udp_ioctl() Eric Dumazet
2011-05-15 21:30             ` Solar Designer
2011-05-15 21:44               ` David Miller
2011-05-16  7:26                 ` [PATCH net-next-2.6 v2] " Eric Dumazet
2011-05-16 12:48                   ` Vasiliy Kulikov
2011-05-16 15:50                   ` David Miller
2011-04-13 10:29 ` [PATCH] net: ipv4: add IPPROTO_ICMP socket kind Alexey Dobriyan
2011-04-13 11:32   ` Vasiliy Kulikov
2011-04-14  9:16     ` Alexey Dobriyan
2011-04-14  1:53   ` Simon Horman
  -- strict thread matches above, loose matches on Subject: below --
2011-03-18 18:00 Vasiliy Kulikov
2011-03-18 19:47 ` David Miller
2011-03-18 19:59   ` Vasiliy Kulikov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110412050659.GA14129@openwall.com \
    --to=solar@openwall.com \
    --cc=dan.j.rosenberg@gmail.com \
    --cc=davem@davemloft.net \
    --cc=eugene@redhat.com \
    --cc=jmorris@namei.org \
    --cc=kaber@trash.net \
    --cc=kees.cook@canonical.com \
    --cc=kuznet@ms2.inr.ac.ru \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nelhage@ksplice.com \
    --cc=netdev@vger.kernel.org \
    --cc=peak@argo.troja.mff.cuni.cz \
    --cc=pekkas@netcore.fi \
    --cc=segoon@openwall.com \
    --cc=yoshfuji@linux-ipv6.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).