Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Linux unprivileged ping support #173

Merged
merged 3 commits into from
Feb 29, 2020
Merged

Linux unprivileged ping support #173

merged 3 commits into from
Feb 29, 2020

Conversation

tycho
Copy link
Contributor

@tycho tycho commented Feb 27, 2020

Right now if you try to use unprivileged ping (i.e. via SOCK_DGRAM) on the "develop" branch, it doesn't see the response packets.

There are a few problems this PR fixes:

  • The "ident" value cannot be specified by unprivileged processes, so we have to get it from the kernel via getsockname. This change is necessary in order for it to see the ident fields line up and accept the responses.
  • When using SOCK_DGRAM for IPv4 unprivileged ping on Linux, there is no struct ip at the beginning of the message read by recvmsg. So we have to handle that situation specially. First, we need to account for the size of the missing header when logging the responses (since it is data sent/received over the wire, but it's not visible to the userspace process). Second, we need to avoid treating the start of the buffer as struct ip.
  • The test-11-nopriv test will fail on Linux if the user is allowed to do unprivileged pings. We can check if the effective GID is within the range specified in the sysctl net.ipv4.ping_group_range and know in advance whether the ping is expected to work or not. If it is expected to work, then we should skip the test-11-nopriv test.

@coveralls
Copy link

coveralls commented Feb 27, 2020
edited
Loading

Coverage Status

Coverage increased (+0.4%) to 79.793% when pulling 44dd045 on tycho:linux-unprivileged-ping into bc5017b on schweikert:develop.

@tycho
use kernel-assigned ping ident value
1486bf2 
On Linux, when running with an unprivileged process, the kernel does not
respect the assigned "id" field. So in that scenario we need to ask the
kernel what assignment it has given us instead.

Signed-off-by: Steven Noonan <steven@uplinklabs.net>
@tycho
linux: account for missing IP header block when using SOCK_DGRAM
6bc2991 
Linux doesn't include an IP header in the payload when using an
unprivileged SOCK_DGRAM socket.

Signed-off-by: Steven Noonan <steven@uplinklabs.net>
@tycho
test-11-nopriv: check Linux GID permission for unprivileged ping
44dd045 
Signed-off-by: Steven Noonan <steven@uplinklabs.net>
@schweikert
Copy link
Owner

Looks good, thank you!

@schweikert schweikert merged commit 43767e2 into schweikert:develop Feb 29, 2020
@tycho tycho deleted the linux-unprivileged-ping branch June 10, 2020 00:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tycho @coveralls @schweikert