Domain of kernel module initalization code

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Luis Ressel <aranea@aixah.de>
To: selinux <selinux@tycho.nsa.gov>
Subject: Domain of kernel module initalization code
Date: Tue, 27 Dec 2016 12:01:45 +0100	[thread overview]
Message-ID: <20161227120145.75ff429f@gentp.lnet> (raw)

Hello,

when a userspace program A (usually kmod or udev) instructs the kernel
to load a kernel module via the finit_module syscall, the kernel loads
the module into its address space and executes the initalization
routine provided by the module.

This initialization routine then runs in A's SELinux domain. While that
makes sense implementation-wise and is indeed what I'd expected (going
by my admittely fairly basic understanding of the SELinux internals),
I'm not sure whether this is how the kernel should behave.

For example, this behaviour is currently triggering a bug on my
systems: Since Linux 4.8, most graphics drivers need CAP_SYS_ADMIN
during their module initialization (due to what is probably a kernel
bug). Hence, loading them with udev works fine because my SELinux
policy allows udev to use this capability, but those modules can't be
loaded manually with kmod/modprobe.

I could of course work around that by granting kmod the 'self:capability
sys_admin' permission, but I'm reluctant to do this since kmod itself
does not require CAP_SYS_ADMIN for its operations.

Any thoughts on this matter?

Regards,
Luis Ressel

next             reply	other threads:[~2016-12-27 11:02 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-12-27 11:01 Luis Ressel [this message]
2016-12-27 18:25 ` Domain of kernel module initalization code Stephen Smalley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161227120145.75ff429f@gentp.lnet \
    --to=aranea@aixah.de \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.