diff mbox

Implement IP_EVIL socket option (RFC 3514)

Message ID 1333284791-5363-1-git-send-email-martin@lucina.net
State Not Applicable, archived
Delegated to: David Miller
Headers show

Commit Message

Martin Lucina April 1, 2012, 12:53 p.m. UTC 
This patch implements the IP_EVIL socket option, allowing user-space
applications to set the Security Flag in the IPv4 Header, aka "evil" bit,
as defined in RFC 3514.

Signed-off-by: Martin Lucina <martin@lucina.net>
---
 include/linux/in.h      |    1 +
 include/net/inet_sock.h |    1 +
 net/ipv4/af_inet.c      |    1 +
 net/ipv4/ip_output.c    |    2 ++
 net/ipv4/ip_sockglue.c  |    9 ++++++++-
 5 files changed, 13 insertions(+), 1 deletions(-)

Comments

David Miller April 1, 2012, 7:20 p.m. UTC | #1 
I'm extremely disappointed with the april fools submissions this
year to be honest...
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Martin Lucina April 2, 2012, 9:24 a.m. UTC | #2 
davem@davemloft.net said:
> 
> I'm extremely disappointed with the april fools submissions this
> year to be honest...

Well, with Anonymous making their own distro, and the advertised "takedown
of the Internet" on Saturday, it seemed timeley. I guess I should have
written a more convincing blurb in the commit message...
David Miller April 2, 2012, 9:35 a.m. UTC | #3 
From: Martin Lucina <martin@lucina.net>
Date: Mon, 2 Apr 2012 11:24:10 +0200

> davem@davemloft.net said:
>> 
>> I'm extremely disappointed with the april fools submissions this
>> year to be honest...
> 
> Well, with Anonymous making their own distro, and the advertised "takedown
> of the Internet" on Saturday, it seemed timeley. I guess I should have
> written a more convincing blurb in the commit message...

It wasn't the blurb it was simply that you're at least the third
person to submit a patch like this over the years, here's one:

http://www.version6.net/patches/linux-2.4.20-rfc3514.dif

Someone did a netfilter iptables module too:

http://www.gossamer-threads.com/lists/linux/kernel/431645
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Martin Lucina April 2, 2012, 9:42 a.m. UTC | #4 
davem@davemloft.net said:
> It wasn't the blurb it was simply that you're at least the third
> person to submit a patch like this over the years, here's one:
> 
> http://www.version6.net/patches/linux-2.4.20-rfc3514.dif
> 
> Someone did a netfilter iptables module too:
> 
> http://www.gossamer-threads.com/lists/linux/kernel/431645

I missed the former patch completely, sorry about that. Googling for "evil
bit implementation" did turn up the ipt_evil patch but no corresponding
patch to actually let an application *set* the bit.
Florian Weimer April 4, 2012, 7:17 p.m. UTC | #5 
* Martin Lucina:

> This patch implements the IP_EVIL socket option, allowing user-space
> applications to set the Security Flag in the IPv4 Header, aka "evil" bit,
> as defined in RFC 3514.

I need this to fix a security issue.  Could this be merged for real,
please?
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Al Viro April 4, 2012, 8:18 p.m. UTC | #6 
On Wed, Apr 04, 2012 at 09:17:00PM +0200, Florian Weimer wrote:
> * Martin Lucina:
> 
> > This patch implements the IP_EVIL socket option, allowing user-space
> > applications to set the Security Flag in the IPv4 Header, aka "evil" bit,
> > as defined in RFC 3514.
> 
> I need this to fix a security issue.  Could this be merged for real,
> please?

I would suggest switching away from your RFC1149 link - looks like your mail
took 3 days on the way out...
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Florian Weimer April 5, 2012, 6:01 a.m. UTC | #7 
* Al Viro:

> On Wed, Apr 04, 2012 at 09:17:00PM +0200, Florian Weimer wrote:
>> * Martin Lucina:
>> 
>> > This patch implements the IP_EVIL socket option, allowing user-space
>> > applications to set the Security Flag in the IPv4 Header, aka "evil" bit,
>> > as defined in RFC 3514.
>> 
>> I need this to fix a security issue.  Could this be merged for real,
>> please?
>
> I would suggest switching away from your RFC1149 link - looks like your mail
> took 3 days on the way out...

Sorry, I saw it just now.

The idea is to change the JVM to set IP_EVIL when an applet creates a
socket, so that this socket cannot be used to trick firewalls to open
up access to totally unrelated services.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/include/linux/in.h b/include/linux/in.h
index e0337f1..6814c0f 100644
--- a/include/linux/in.h
+++ b/include/linux/in.h
@@ -86,6 +86,7 @@  struct in_addr {
 
 #define IP_MINTTL       21
 #define IP_NODEFRAG     22
+#define IP_EVIL         23
 
 /* IP_MTU_DISCOVER values */
 #define IP_PMTUDISC_DONT		0	/* Never send DF frames */
diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h
index ae17e13..37aaf9b 100644
--- a/include/net/inet_sock.h
+++ b/include/net/inet_sock.h
@@ -168,6 +168,7 @@  struct inet_sock {
 				transparent:1,
 				mc_all:1,
 				nodefrag:1;
+	__u8			evil;
 	__u8			rcv_tos;
 	int			uc_index;
 	int			mc_index;
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 10e3751..b165dfb 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -356,6 +356,7 @@  lookup_protocol:
 	inet->is_icsk = (INET_PROTOSW_ICSK & answer_flags) != 0;
 
 	inet->nodefrag = 0;
+	inet->evil = 0; /* Don't be evil */
 
 	if (SOCK_RAW == sock->type) {
 		inet->inet_num = protocol;
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 4910176..c1b4b15 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -157,6 +157,8 @@  int ip_build_and_send_pkt(struct sk_buff *skb, struct sock *sk,
 		iph->frag_off = htons(IP_DF);
 	else
 		iph->frag_off = 0;
+	if (inet->evil)
+		iph->frag_off |= 1<<15;
 	iph->ttl      = ip_select_ttl(inet, &rt->dst);
 	iph->daddr    = (opt && opt->opt.srr ? opt->opt.faddr : daddr);
 	iph->saddr    = saddr;
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 2fd0fba..f26d45c 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -463,7 +463,8 @@  static int do_ip_setsockopt(struct sock *sk, int level,
 			     (1<<IP_MTU_DISCOVER) | (1<<IP_RECVERR) |
 			     (1<<IP_ROUTER_ALERT) | (1<<IP_FREEBIND) |
 			     (1<<IP_PASSSEC) | (1<<IP_TRANSPARENT) |
-			     (1<<IP_MINTTL) | (1<<IP_NODEFRAG))) ||
+			     (1<<IP_MINTTL) | (1<<IP_NODEFRAG) |
+			     (1<<IP_EVIL))) ||
 	    optname == IP_UNICAST_IF ||
 	    optname == IP_MULTICAST_TTL ||
 	    optname == IP_MULTICAST_ALL ||
@@ -598,6 +599,9 @@  static int do_ip_setsockopt(struct sock *sk, int level,
 		}
 		inet->nodefrag = val ? 1 : 0;
 		break;
+	case IP_EVIL:
+		inet->evil = val ? 1 : 0;
+		break;
 	case IP_MTU_DISCOVER:
 		if (val < IP_PMTUDISC_DONT || val > IP_PMTUDISC_PROBE)
 			goto e_inval;
@@ -1176,6 +1180,9 @@  static int do_ip_getsockopt(struct sock *sk, int level, int optname,
 	case IP_NODEFRAG:
 		val = inet->nodefrag;
 		break;
+	case IP_EVIL:
+		val = inet->evil;
+		break;
 	case IP_MTU_DISCOVER:
 		val = inet->pmtudisc;
 		break;