How do Netlink and security interact with each other?

Question

I understand that Netlink is the modern and correct way to communicate kernel and userspace in Linux.

I have a kernel module that needs to be configurable, so I'm using Netlink to have it talk to a userspace application.

Everything works wonders, but it appears to me any user can talk to my module. I could lock the application using permissions and such, but the project is Open Source, so any user can easily compile the userspace application. Ergo, any user can configure my kernel. And that doesn't sit well with me.

It seems I'm missing something very important here, but the Netlink documentation I find is all about how to get it running, not how it fits in the real world.

How can I restrict access to the module's Netlink socket? If that is impossible, what else can be done about it?

Answer 1

facepalm

From RFC 3549:

Netlink lives in a trusted environment of a single host separated by kernel and user space. Linux capabilities ensure that only someone with CAP_NET_ADMIN capability (typically, the root user) is allowed to open sockets.

The kernel is supposed to be the one who tells whether the module should let the user proceed or not, not Netlink. OBVIOUSLY.

Just block by coding in kernelspace

/* If the current thread of execution doesn't have the proper privileges... */
if (!capable(CAP_NET_ADMIN)) { /* Or CAP_SYS_ADMIN or whatever */
    /* Throw this request away. */
    return -EPERM;

, done.

Thanks to ipclouds and tadokoro for guiding me in the right direction.