From: Eric Paris <eparis@redhat.com>
To: "Serge E. Hallyn" <serge.hallyn@ubuntu.com>
Cc: David Miller <davem@davemloft.net>,
shemminger@vyatta.com, bhutchings@solarflare.com,
eparis@parisplace.org, segoon@openwall.com,
linux-kernel@vger.kernel.org, mjt@tls.msk.ru, arnd@arndb.de,
mirqus@gmail.com, netdev@vger.kernel.org, kuznet@ms2.inr.ac.ru,
pekkas@netcore.fi, jmorris@namei.org, yoshfuji@linux-ipv6.org,
kaber@trash.net, eric.dumazet@gmail.com, therbert@google.com,
xiaosuo@gmail.com, jesse@nicira.com, kees.cook@canonical.com,
eugene@redhat.com, dan.j.rosenberg@gmail.com,
akpm@linux-foundation.org, greg@kroah.com, sds@tycho.nsa.gov,
linux-security-module@vger.kernel.org, dwalsh@redhat.com,
dhowells@redhat.com
Subject: Re: [PATCH v2] net: don't allow CAP_NET_ADMIN to load non-netdev kernel modules
Date: Thu, 24 Mar 2011 18:15:18 -0400 [thread overview]
Message-ID: <1301004924.14296.12.camel@localhost.localdomain> (raw)
In-Reply-To: <20110324215747.GA12585@peq.hallyn.com>
On Thu, 2011-03-24 at 16:57 -0500, Serge E. Hallyn wrote:
> Quoting David Miller (davem@davemloft.net):
> > From: Stephen Hemminger <shemminger@vyatta.com>
> > Date: Thu, 24 Mar 2011 14:39:44 -0700
> >
> > > This breaks for many of the tunneling protocols, that rely on
> > > autoload for names like "sit0"
> >
> > Frankly I'm very disappointed in the fallout this has been causing.
> >
> > Everyone supporting this change, get real, and admit it doing in fact
> > cause a serious regression.
>
> Sorry, I thought this was causing some extra audit messages but no
> actual breakage?
I've got one report of someone claiming their system broke, but I'm not
convinced I believe it since his dmesg didn't show the magic pr_err()
when it should have. It's certainly possible this can break someone in
a system which uses fine grained capabilities controls, but I agree it's
pretty unlikely. My biggest personal concern is that I have a whole
darn bunch of new scary messages which are popping out of people's
computers since they don't have CAP_SYS_MODULE. While I can silence
them, it's going to hide use of init_module() directly as well, which I
really don't want to hide from the scary logs....
> > If you can't get past that simple fact, you cannot discuss this issue
> > intelligently.
> >
> > You can't say "userland will fix things up"
> >
> > Because we're never supposed to break userland in the first place.
> >
> > There is simply no excuse for this and I want this change reverted
> > both in Linus's tree and in -stable.
>
> Eric, in this particular case, since we've already done a
> 'capable(CAP_NET_ADMIN)', I woudl argue that doing the check
> for CAP_SYS_ADMIN without auditing failure (even if it requires
> a new helper in capability.c) isn't horrible. Thoughts?
s/CAP_SYS_ADMIN/CAP_SYS_MODULE/
I can do that. It was actually my #2 suggestion. But, I'm certainly
willing to put some of the burden on userspace. SELinux policy is a
userspace construct and we often force other userspace applications to
fix things they do poorly (even if it gets us a rep for being
'difficult') Non-SELinux systems aren't going to see this problem,
because basically noone else I know of tries to enforce any kind of
capabilities sets other than all or none, so you'll never see
CAP_NET_ADMIN without CAP_SYS_MODULE.
I guess what it comes down to is that I'm happy to break Fedora user's
with SELinux if in the end it gets us a better system. I'd be happy to
just rip the whole CAP_SYS_MODULE portion out and blame it on SELinux,
but I know that's not what upstream does. So given what we have today I
personally would push for a no_audit() interface rather than a complete
revert. (or maybe a compile option so I can turn off the fallback
altogether and force people to come into compliance)
-Eric
next prev parent reply other threads:[~2011-03-24 22:17 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-24 15:12 module loading with CAP_NET_ADMIN Vasiliy Kulikov
2011-02-24 16:34 ` Ben Hutchings
2011-02-25 12:30 ` Vasiliy Kulikov
2011-02-25 15:14 ` [PATCH] don't allow CAP_NET_ADMIN to load non-netdev kernel modules Vasiliy Kulikov
2011-02-25 17:25 ` Valdis.Kletnieks
2011-02-25 17:47 ` Vasiliy Kulikov
2011-02-25 17:48 ` Ben Hutchings
2011-02-25 18:47 ` David Miller
2011-02-25 19:02 ` Vasiliy Kulikov
2011-02-25 19:05 ` David Miller
2011-02-25 19:07 ` Ben Hutchings
2011-02-25 19:16 ` David Miller
2011-02-25 19:30 ` Ben Hutchings
2011-02-25 19:43 ` David Miller
2011-02-25 19:53 ` Ben Hutchings
2011-02-25 20:37 ` David Miller
2011-02-25 20:38 ` Ben Hutchings
2011-02-25 20:59 ` Michał Mirosław
2011-02-27 20:22 ` Arnd Bergmann
2011-02-28 9:29 ` Michael Tokarev
2011-02-28 9:51 ` Vasiliy Kulikov
2011-02-28 19:23 ` David Miller
2011-03-01 19:48 ` [PATCH] net: " Vasiliy Kulikov
2011-03-01 20:13 ` Ben Hutchings
2011-03-01 21:33 ` [PATCH v2] " Vasiliy Kulikov
2011-03-02 7:15 ` Michael Tokarev
2011-03-09 22:06 ` Vasiliy Kulikov
2011-03-09 22:09 ` David Miller
2011-03-09 22:53 ` James Morris
2011-03-10 9:49 ` Vasiliy Kulikov
2011-03-02 16:01 ` Kees Cook
2011-03-02 19:39 ` Jake Edge
2011-03-02 19:43 ` Vasiliy Kulikov
2011-03-02 19:49 ` Jake Edge
2011-03-02 20:18 ` Vasiliy Kulikov
2011-03-02 20:38 ` Jake Edge
2011-03-02 20:40 ` Jake Edge
2011-03-22 20:47 ` Eric Paris
2011-03-22 20:47 ` Eric Paris
2011-03-24 15:37 ` Serge E. Hallyn
2011-03-24 18:03 ` Eric Paris
2011-03-24 18:33 ` Ben Hutchings
2011-03-24 20:26 ` Serge E. Hallyn
2011-03-24 21:39 ` Stephen Hemminger
2011-03-24 21:46 ` David Miller
2011-03-24 21:57 ` Serge E. Hallyn
2011-03-24 22:15 ` Eric Paris [this message]
2011-03-24 21:57 ` Greg KH
2011-03-26 10:35 ` Vasiliy Kulikov
2011-02-27 11:44 ` [PATCH] " Vasiliy Kulikov
2011-02-27 23:18 ` David Miller
2011-02-27 23:19 ` David Miller
2011-02-25 15:29 ` module loading with CAP_NET_ADMIN Michael Tokarev
2011-02-25 15:57 ` Vasiliy Kulikov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1301004924.14296.12.camel@localhost.localdomain \
--to=eparis@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=bhutchings@solarflare.com \
--cc=dan.j.rosenberg@gmail.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dwalsh@redhat.com \
--cc=eparis@parisplace.org \
--cc=eric.dumazet@gmail.com \
--cc=eugene@redhat.com \
--cc=greg@kroah.com \
--cc=jesse@nicira.com \
--cc=jmorris@namei.org \
--cc=kaber@trash.net \
--cc=kees.cook@canonical.com \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mirqus@gmail.com \
--cc=mjt@tls.msk.ru \
--cc=netdev@vger.kernel.org \
--cc=pekkas@netcore.fi \
--cc=sds@tycho.nsa.gov \
--cc=segoon@openwall.com \
--cc=serge.hallyn@ubuntu.com \
--cc=shemminger@vyatta.com \
--cc=therbert@google.com \
--cc=xiaosuo@gmail.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.