Re: code available: netmap support for libpcap

[Luigi Rizzo <rizzo () iet unipi it>]

On Sat, Feb 15, 2014 at 01:59:48PM -0800, Guy Harris wrote:
> On Feb 15, 2014, at 1:44 PM, Michael Richardson <mcr () sandelman ca> wrote:
>
> > where do those headers come from?  Would it make sense to just include
> > those headers with libpcap?  That way netmap would always be available.
>
> There's "netmap", which is available only if the kernel includes netmap support; as long as all systems with a kernel 
> with netmap also provide the headers (at least if you have a "developer package" for the OS installed if necessary), 
> the headers aren't an issue for the availability of netmap.

first of all, thanks all for the feedback.

I think what Michael means is that if we include net/netmap.h and
net/netmap_user.h in the libpcap distribution, we can have the support
always compiled in and postpone the decision at compile time.

This seems a very interesting idea actually.
We can make the build privilege system headers if available
(in case something changes) and fall back to the one included
in the libpcap distribution otherwise.

> There's also "netmap support in libpcap", which would only be available if the headers are available on the system on 
> which libpcap is built; that's also the case for some other OS features libpcap can use.  If the OS kernel doesn't 
> include netmap support by default, and we want the user to be able to add it to the kernel *and* have libpcap 
> automatically be able to use it without having to rebuild libpcap, the headers *are* an issue.
>
> > Are there any issues if someone makes tcpdump (or wireshark, or some other
> > libpcap using program) setuid?  (I don't see any call to popen()...)
>
> (I.e., is there any code in the netmap support that could be tricked into doing Bad Things, including handing off 
> privileges to arbitrary programs if the program using libpcap is privileged?)

apart from bugs, the nm_* functions in the headers only call open/ioctl/mmap,
nothing else. Auditing the headers will certainly help figure out if there
are bugs.

The netmap module gives access to raw packets, and potentially
disconnect a NIC from the system, so normally access is reserved to those
who have access to /dev/netmap (which defaults to -rw------ root root on linux,
and something similar on FreeBSD).
So in this respect things are not much different from what happens with
bpf or equivalent, if you make tcpdump setuid hopefully there are
other restrictions in place that limit who can run tcpdump and
see everyone's traffic.

cheers
luigi
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers