On Fri, Mar 2, 2018 at 6:42 AM, Heiko Baums <li...@baums-on-web.de> wrote: > Am Thu, 1 Mar 2018 21:45:46 -0500 > schrieb Rich Freeman <ri...@gentoo.org>: > >> If they did move netfilter to userspace, then it would > > most likely be more insecure because a userspace process can be easier > bypassed, killed, hacked or whatever. That's a lot harder with the > kernel if not impossible.
It is actually the opposite. The whole appeal of microkernels is that they can potentially be a lot more robust. Consider something like netfilter. The code in netfilter is exposed to unfiltered network traffic. If it contains a bug then a remote attacker might be able to run arbitrary code in kernel space, where there is no separation of privs. That code can access everything on the machine. On the other hand, if netfilter were implemented in userspace such as via a microkernel, then if it contained a bug the remote attacker would be able to MITM all network traffic on the machine, but that would be the extent of the access they have. Granted, it still wouldn't be ideal because it probably would include local traffic that might not be encrypted (think localhost traffic and socket connections/etc). Then again, depending on the implementation different interfaces or connections might run in separate processes in which case a remote attacker might only be able to MITM his own connection. The process running the netfilter code doesn't need anything other than a pipe back to the kernel to receive packets and send packets back, so it can run with minimal privs otherwise. The fact that there are convenient command-line utilities to kill a process does not mean that they are less secure/robust than kernel modules. Generally you have to be running as root to kill a process with a different UID, and bugs that allow this to be exploited are treated as severe by the kernel team (and in a microkernel they would be very severe since it is one of the few things the kernel actually does, and since the kernel doesn't do much the things it does do get more attention). If you are root, then you can also mess with the kernel if you want to. You might not know how to do it, but messing with kernel processes certainly isn't impossible, as is crashing your machine. This is why the Linux maintainers actually prefer to move stuff to userspace when it makes sense. They're not looking to transition to a microkernel, but a lot of the boot-time mounting logic and devfs/etc logic has gone away in favor of initramfs and udev. This allows for alternate implementations, and it helps cut down on the complexity of kernel code. And of course if this is done it is done correctly, and not as some kind of userspace hack on top of an OS to add features that it lacks. -- Rich
