Nicolas Williams wrote:
Isn't "observability" a bit too broad here? I would assume observability
includes packet counters (e.g., netstat -i) in addition to being able to
look at the packet content.
Looking at counters does not typically require privilege, but maybe it
should require some basic privilege, as counters might leak useful data.
My comment was merely that the name for the privilege seems a bit too broad.
I suspect for snoop-type activity we might over time need a range of
visibility, just as I suspect we'll need a set of privileges around
being able to send different degrees of raw packets.
Well, if you mean ICMP ECHO REQUEST/REPLY, having a syscall (socket?)
interface to do that would save us the bother with privileges for
distinguishing those types of packets from other uses of raw networking,
no?
For sending "raw" I can see many different degrees of raw. A
non-exhaustive list:
- being able to send packets with different IPPROTO than TCP, UDP, ICMP
- being able to send IP packets with an arbitrary IP source address,
with an arbitrary IP ident field (IPPROTO_RAW allows this)
- being able to send datalink packets with arbitrary Ethernet type,
arbitrary Ethernet source address
- being able to send Ethernet packets with bad CRC
Sending and receiving are different things. And for loopback, does
anyone ever want to be able to send packets using a rawip socket? Why?
Because of missing non-raw interfaces or for fault injection?
SOCK_RAW is used by ping, and I'm sure some people ping another zone.
Anyways, for me the bottom line is: someday have two privileges for
snooping, one for loopback and one for non-loopback. It's hardly an
urgent matter, but getting this right now may save privilege-splitting
headaches later.
I agree that two separate privileges for packet capture makes sense.
Erik
_______________________________________________
networking-discuss mailing list
[email protected]
