On Wed, Aug 24, 2016 at 11:35 PM, David Ahern <[email protected]> wrote: > sock_diag_destroy already requires ADMIN for destroying sockets, so adding > here just prevents listing them. Given that and the fact that the diag API > does not pass the mark value is there a reason to add the extra ADMIN check?
Even though the API does not return the mark value, this code allows the caller to find the mark of any socket simply by performing n=32 socket dumps, each filtering for a mark/mask of 1<<n/1<<n. Each such dump will reveal bit n in the mark of all sockets in the system. If you consider socket marks to be information that's private to the app, then it's appropriate to restrict access to them to NET_ADMIN. I thought it prudent to do so, particularly since only applications with NET_ADMIN can set marks in the first place. Note that a process with NET_ADMIN can already determine the mark of any given socket (as long as that socket sends a packet) by installing 32 iptables rules that exactly match the socket's 5-tuple and where each rule checks one bit in the mark. So this patch doesn't expose any information that was not previously available.
