From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Wed, 29 Nov 2017 13:46:12 +0000 From: Alan Cox Message-ID: <20171129134612.72ccb53d@alans-desktop> In-Reply-To: References: <1511803118-2552-1-git-send-email-tixxdz@gmail.com> <1511803118-2552-2-git-send-email-tixxdz@gmail.com> <20171128191405.GO729@wotan.suse.de> <20171128211659.GP729@wotan.suse.de> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: [kernel-hardening] Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap() To: Kees Cook Cc: "Luis R. Rodriguez" , Djalal Harouni , Andy Lutomirski , Andrew Morton , James Morris , Ben Hutchings , Solar Designer , Serge Hallyn , Jessica Yu , Rusty Russell , LKML , linux-security-module , kernel-hardening@lists.openwall.com, Jonathan Corbet , Ingo Molnar , "David S. Miller" , Network Development , Peter Zijlstra , Linus Torvalds List-ID: On Tue, 28 Nov 2017 13:39:58 -0800 Kees Cook wrote: > On Tue, Nov 28, 2017 at 1:16 PM, Luis R. Rodriguez wrote: > > And *all* auto-loading uses aliases? What's the difference between auto-loading > > and direct-loading? > > The difference is the process privileges. Unprivilged autoloading > (e.g. int n_hdlc = N_HDLC; ioctl(fd, > TIOCSETD, &n_hdlc)), triggers a privileged call to finit_module() > under CAP_SYS_MODULE. If you have CAP_SYS_DAC you can rename any module to ppp.ko and ask the network manager (which has the right permissions) to init a ppp connection. Capabilities alone are simply not enough to do any kind of useful protection on a current system and the Linux capability model is broken architecturally and not fixable because fixing it would break lots of real systems. I really don't care what the module loading rules end up with and whether we add CAP_SYS_YET_ANOTHER_MEANINGLESS_FLAG but what is actually needed is to properly incorporate it into securiy ruiles for whatever LSM you are using. Alan From mboxrd@z Thu Jan 1 00:00:00 1970 From: gnomes@lxorguk.ukuu.org.uk (Alan Cox) Date: Wed, 29 Nov 2017 13:46:12 +0000 Subject: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap() In-Reply-To: References: <1511803118-2552-1-git-send-email-tixxdz@gmail.com> <1511803118-2552-2-git-send-email-tixxdz@gmail.com> <20171128191405.GO729@wotan.suse.de> <20171128211659.GP729@wotan.suse.de> Message-ID: <20171129134612.72ccb53d@alans-desktop> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Tue, 28 Nov 2017 13:39:58 -0800 Kees Cook wrote: > On Tue, Nov 28, 2017 at 1:16 PM, Luis R. Rodriguez wrote: > > And *all* auto-loading uses aliases? What's the difference between auto-loading > > and direct-loading? > > The difference is the process privileges. Unprivilged autoloading > (e.g. int n_hdlc = N_HDLC; ioctl(fd, > TIOCSETD, &n_hdlc)), triggers a privileged call to finit_module() > under CAP_SYS_MODULE. If you have CAP_SYS_DAC you can rename any module to ppp.ko and ask the network manager (which has the right permissions) to init a ppp connection. Capabilities alone are simply not enough to do any kind of useful protection on a current system and the Linux capability model is broken architecturally and not fixable because fixing it would break lots of real systems. I really don't care what the module loading rules end up with and whether we add CAP_SYS_YET_ANOTHER_MEANINGLESS_FLAG but what is actually needed is to properly incorporate it into securiy ruiles for whatever LSM you are using. Alan -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753607AbdK2Nrh (ORCPT ); Wed, 29 Nov 2017 08:47:37 -0500 Received: from www.llwyncelyn.cymru ([82.70.14.225]:37724 "EHLO fuzix.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750713AbdK2Nrd (ORCPT ); Wed, 29 Nov 2017 08:47:33 -0500 Date: Wed, 29 Nov 2017 13:46:12 +0000 From: Alan Cox To: Kees Cook Cc: "Luis R. Rodriguez" , Djalal Harouni , Andy Lutomirski , Andrew Morton , James Morris , Ben Hutchings , Solar Designer , Serge Hallyn , Jessica Yu , Rusty Russell , LKML , linux-security-module , kernel-hardening@lists.openwall.com, Jonathan Corbet , Ingo Molnar , "David S. Miller" , Network Development , Peter Zijlstra , Linus Torvalds Subject: Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap() Message-ID: <20171129134612.72ccb53d@alans-desktop> In-Reply-To: References: <1511803118-2552-1-git-send-email-tixxdz@gmail.com> <1511803118-2552-2-git-send-email-tixxdz@gmail.com> <20171128191405.GO729@wotan.suse.de> <20171128211659.GP729@wotan.suse.de> Organization: Intel Corporation X-Mailer: Claws Mail 3.15.1-dirty (GTK+ 2.24.31; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 28 Nov 2017 13:39:58 -0800 Kees Cook wrote: > On Tue, Nov 28, 2017 at 1:16 PM, Luis R. Rodriguez wrote: > > And *all* auto-loading uses aliases? What's the difference between auto-loading > > and direct-loading? > > The difference is the process privileges. Unprivilged autoloading > (e.g. int n_hdlc = N_HDLC; ioctl(fd, > TIOCSETD, &n_hdlc)), triggers a privileged call to finit_module() > under CAP_SYS_MODULE. If you have CAP_SYS_DAC you can rename any module to ppp.ko and ask the network manager (which has the right permissions) to init a ppp connection. Capabilities alone are simply not enough to do any kind of useful protection on a current system and the Linux capability model is broken architecturally and not fixable because fixing it would break lots of real systems. I really don't care what the module loading rules end up with and whether we add CAP_SYS_YET_ANOTHER_MEANINGLESS_FLAG but what is actually needed is to properly incorporate it into securiy ruiles for whatever LSM you are using. Alan