• Willem de Bruijn's avatar
    net-timestamp: no-payload only sysctl · b245be1f
    Willem de Bruijn authored
    Tx timestamps are looped onto the error queue on top of an skb. This
    mechanism leaks packet headers to processes unless the no-payload
    options SOF_TIMESTAMPING_OPT_TSONLY is set.
    
    Add a sysctl that optionally drops looped timestamp with data. This
    only affects processes without CAP_NET_RAW.
    
    The policy is checked when timestamps are generated in the stack.
    It is possible for timestamps with data to be reported after the
    sysctl is set, if these were queued internally earlier.
    
    No vulnerability is immediately known that exploits knowledge
    gleaned from packet headers, but it may still be preferable to allow
    administrators to lock down this path at the cost of possible
    breakage of legacy applications.
    Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
    
    ----
    
    Changes
      (v1 -> v2)
      - test socket CAP_NET_RAW instead of capable(CAP_NET_RAW)
      (rfc -> v1)
      - document the sysctl in Documentation/sysctl/net.txt
      - fix access control race: read .._OPT_TSONLY only once,
            use same value for permission check and skb generation.
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    b245be1f
sysctl_net_core.c 10.1 KB