On 10/27/20 1:17 AM, Vincent Bernat wrote: > ❦ 23 octobre 2020 08:40 -06, David Ahern: > >>> I am wondering if we should revert the patch for 5.10 while we can, >>> waiting for a better solution (and breaking people relying on the new >>> behavior in 5.9). >>> >>> Then, I can propose a patch with a sysctl to avoid breaking existing >>> setups. >>> >> >> I have not walked the details, but it seems like a security policy can >> be installed to get the previous behavior. > > libtorrent is using SO_BINDTODEVICE for some reason (code is quite old, > so not git history). Previously, the call was unsuccesful and the error > was logged and ignored. Now, it succeeds and circumvent the routing > policy. Using Netfiler does not help as libtorrent won't act on dropped > packets as the socket is already configured on the wrong interface. > kprobe is unable to modify a syscall and seccomp cannot be applied > globally. LSM are usually distro specific. What kind of security policy > do you have in mind? >
nothing specific; I was hand waving. There are bpf hooks to set and unset socket options, but those seem inconvenient here. I guess a sysctl is the only practical solution. If you do that we should have granularity - any device, l3mdev devices only, ...
