tcpdump mailing list archives
Re: code available: netmap support for libpcap
From: Luigi Rizzo <rizzo () iet unipi it>
Date: Sat, 15 Feb 2014 23:24:28 +0100
On Sat, Feb 15, 2014 at 01:59:48PM -0800, Guy Harris wrote:
On Feb 15, 2014, at 1:44 PM, Michael Richardson <mcr () sandelman ca> wrote:where do those headers come from? Would it make sense to just include those headers with libpcap? That way netmap would always be available.There's "netmap", which is available only if the kernel includes netmap support; as long as all systems with a kernel with netmap also provide the headers (at least if you have a "developer package" for the OS installed if necessary), the headers aren't an issue for the availability of netmap.
first of all, thanks all for the feedback. I think what Michael means is that if we include net/netmap.h and net/netmap_user.h in the libpcap distribution, we can have the support always compiled in and postpone the decision at compile time. This seems a very interesting idea actually. We can make the build privilege system headers if available (in case something changes) and fall back to the one included in the libpcap distribution otherwise.
There's also "netmap support in libpcap", which would only be available if the headers are available on the system on which libpcap is built; that's also the case for some other OS features libpcap can use. If the OS kernel doesn't include netmap support by default, and we want the user to be able to add it to the kernel *and* have libpcap automatically be able to use it without having to rebuild libpcap, the headers *are* an issue.Are there any issues if someone makes tcpdump (or wireshark, or some other libpcap using program) setuid? (I don't see any call to popen()...)(I.e., is there any code in the netmap support that could be tricked into doing Bad Things, including handing off privileges to arbitrary programs if the program using libpcap is privileged?)
apart from bugs, the nm_* functions in the headers only call open/ioctl/mmap, nothing else. Auditing the headers will certainly help figure out if there are bugs. The netmap module gives access to raw packets, and potentially disconnect a NIC from the system, so normally access is reserved to those who have access to /dev/netmap (which defaults to -rw------ root root on linux, and something similar on FreeBSD). So in this respect things are not much different from what happens with bpf or equivalent, if you make tcpdump setuid hopefully there are other restrictions in place that limit who can run tcpdump and see everyone's traffic. cheers luigi _______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- code available: netmap support for libpcap Luigi Rizzo (Feb 15)
- Re: code available: netmap support for libpcap Michael Richardson (Feb 15)
- Re: code available: netmap support for libpcap Luigi Rizzo (Feb 15)
- Re: code available: netmap support for libpcap Guy Harris (Feb 15)
- Re: code available: netmap support for libpcap Luigi Rizzo (Feb 15)
- Re: code available: netmap support for libpcap Michael Richardson (Feb 15)
- Re: code available: netmap support for libpcap Guy Harris (Feb 15)
- Re: code available: netmap support for libpcap Luigi Rizzo (Feb 15)
- Re: code available: netmap support for libpcap Luigi Rizzo (Feb 15)
- Re: code available: netmap support for libpcap Luigi Rizzo (Feb 15)
- Re: code available: netmap support for libpcap Michael Richardson (Feb 15)
- Re: code available: netmap support for libpcap Luigi Rizzo (Feb 15)
- Re: code available: netmap support for libpcap Michael Richardson (Feb 15)
- Re: code available: netmap support for libpcap Guy Harris (Feb 27)
- Re: code available: netmap support for libpcap Luigi Rizzo (Feb 27)
- Re: code available: netmap support for libpcap Guy Harris (Feb 27)
- Message not available
- Re: code available: netmap support for libpcap Guy Harris (Feb 27)
- Re: code available: netmap support for libpcap Luigi Rizzo (Feb 27)
- Re: code available: netmap support for libpcap Guy Harris (Feb 27)