From: ebiederm@xmission.com (Eric W. Biederman)
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: "Kees Cook" <keescook@chromium.org>,
"Geo Kozey" <geokozey@mailfence.com>,
"LSM List" <linux-security-module@vger.kernel.org>,
"Linux Kernel Mailing List" <linux-kernel@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
"Mahesh Bandewar (महेश बंडेवार)" <maheshb@google.com>,
"Serge E. Hallyn" <serge@hallyn.com>
Subject: Re: [kernel-hardening] Re: [PATCH v5 next 5/5] net: modules: use request_module_cap() to load 'netdev-%s' modules
Date: Tue, 28 Nov 2017 22:26:32 -0600 [thread overview]
Message-ID: <87o9nlk8w7.fsf@xmission.com> (raw)
In-Reply-To: <CA+55aFwDfBnMVGfBVkrFFr26tp1y8CUpSf154AuXH+sWyeY5FA@mail.gmail.com> (Linus Torvalds's message of "Tue, 28 Nov 2017 16:50:09 -0800")
Linus Torvalds <torvalds@linux-foundation.org> writes:
> On Tue, Nov 28, 2017 at 4:26 PM, Kees Cook <keescook@chromium.org> wrote:
>>
>>> The model that I am a proponent of is to take a softer approach
>>> initially: don't forbid module loading (because that breaks users),
>>> but instead _warn_ about non-root module loading. And then we can
>>> start fixing the cases that we find.
>>
>> I am totally fine with this. The question I'm hoping to have answered
>> is, "then what?" We already have concrete examples of module
>> autoloading that will still be need to stay unprivileged and as-is in
>> the kernel (even if we remove others). What do you see as the way to
>> allow an admin to turn those off?
>
> Just thinking about the DCCP case, where networking people actually
> knew it was pretty deprecated and had no real maintainer, I think one
> thing to look at would be simply a per-module flag.
>
> That kind of thing should be fairly easy to implement, along the same
> lines as the module license - it just sets a flag in the ELF section
> headers.
>
> With something like that, we literally could make the default be "no
> autoloading except for root", and then just mark the modules that we
> think are ok and well maintained.
>
> Sure, if you then do a lock-down mode that makes that flag parsing
> stricter, then that's a separate thing. But I suspect we definitely
> could be a lot stricter on a per-module basis, and do it in a way
> where a normal user wouldn't even notice that we've limited the
> autoloading.
>
> But the first step would be to just add some noise. And even with the
> per-module flag, at first it would only suppress the noise (ie we'd
> still _allow_ loading other modules, they'd just be noisy). Then, if
> nobody hollers, maybe the next kernel release we'll make it actually
> enforce the flag.
>
On a slight tangent to all of this.
The issue of reducing attack surface has also come up in another thread
and it was suggested there that we make some ns_capable calls
conditionally capable calls so certain pieces of code won't be available
in user namespaces, when we know there is a bug but don't yet have a
good fix rolled out yet.
Which again brings us to attack surface reduction.
I was wondering if perhaps a better way to do some of that, might be to
have places in the kernel where we could use something like ftrace to
add a permission check at a well known functions boundaries and fail the
functions when we want to reduce the attack surface.
It is not as elegant as adding a maintenance status to a module and only
allowing actively maintained modules to be auto-loaded. But perhaps
with a few more eyes the idea can be fleshed out to something generally useful.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: linux-security-module@vger.kernel.org
Subject: [kernel-hardening] Re: [PATCH v5 next 5/5] net: modules: use request_module_cap() to load 'netdev-%s' modules
Date: Tue, 28 Nov 2017 22:26:32 -0600 [thread overview]
Message-ID: <87o9nlk8w7.fsf@xmission.com> (raw)
In-Reply-To: <CA+55aFwDfBnMVGfBVkrFFr26tp1y8CUpSf154AuXH+sWyeY5FA@mail.gmail.com> (Linus Torvalds's message of "Tue, 28 Nov 2017 16:50:09 -0800")
Linus Torvalds <torvalds@linux-foundation.org> writes:
> On Tue, Nov 28, 2017 at 4:26 PM, Kees Cook <keescook@chromium.org> wrote:
>>
>>> The model that I am a proponent of is to take a softer approach
>>> initially: don't forbid module loading (because that breaks users),
>>> but instead _warn_ about non-root module loading. And then we can
>>> start fixing the cases that we find.
>>
>> I am totally fine with this. The question I'm hoping to have answered
>> is, "then what?" We already have concrete examples of module
>> autoloading that will still be need to stay unprivileged and as-is in
>> the kernel (even if we remove others). What do you see as the way to
>> allow an admin to turn those off?
>
> Just thinking about the DCCP case, where networking people actually
> knew it was pretty deprecated and had no real maintainer, I think one
> thing to look at would be simply a per-module flag.
>
> That kind of thing should be fairly easy to implement, along the same
> lines as the module license - it just sets a flag in the ELF section
> headers.
>
> With something like that, we literally could make the default be "no
> autoloading except for root", and then just mark the modules that we
> think are ok and well maintained.
>
> Sure, if you then do a lock-down mode that makes that flag parsing
> stricter, then that's a separate thing. But I suspect we definitely
> could be a lot stricter on a per-module basis, and do it in a way
> where a normal user wouldn't even notice that we've limited the
> autoloading.
>
> But the first step would be to just add some noise. And even with the
> per-module flag, at first it would only suppress the noise (ie we'd
> still _allow_ loading other modules, they'd just be noisy). Then, if
> nobody hollers, maybe the next kernel release we'll make it actually
> enforce the flag.
>
On a slight tangent to all of this.
The issue of reducing attack surface has also come up in another thread
and it was suggested there that we make some ns_capable calls
conditionally capable calls so certain pieces of code won't be available
in user namespaces, when we know there is a bug but don't yet have a
good fix rolled out yet.
Which again brings us to attack surface reduction.
I was wondering if perhaps a better way to do some of that, might be to
have places in the kernel where we could use something like ftrace to
add a permission check at a well known functions boundaries and fail the
functions when we want to reduce the attack surface.
It is not as elegant as adding a maintenance status to a module and only
allowing actively maintained modules to be auto-loaded. But perhaps
with a few more eyes the idea can be fleshed out to something generally useful.
Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: "Kees Cook" <keescook@chromium.org>,
"Geo Kozey" <geokozey@mailfence.com>,
"LSM List" <linux-security-module@vger.kernel.org>,
"Linux Kernel Mailing List" <linux-kernel@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
"Mahesh Bandewar" <maheshb@google.com>,
"Serge E. Hallyn" <serge@hallyn.com>
Subject: Re: [kernel-hardening] Re: [PATCH v5 next 5/5] net: modules: use request_module_cap() to load 'netdev-%s' modules
Date: Tue, 28 Nov 2017 22:26:32 -0600 [thread overview]
Message-ID: <87o9nlk8w7.fsf@xmission.com> (raw)
In-Reply-To: <CA+55aFwDfBnMVGfBVkrFFr26tp1y8CUpSf154AuXH+sWyeY5FA@mail.gmail.com> (Linus Torvalds's message of "Tue, 28 Nov 2017 16:50:09 -0800")
Linus Torvalds <torvalds@linux-foundation.org> writes:
> On Tue, Nov 28, 2017 at 4:26 PM, Kees Cook <keescook@chromium.org> wrote:
>>
>>> The model that I am a proponent of is to take a softer approach
>>> initially: don't forbid module loading (because that breaks users),
>>> but instead _warn_ about non-root module loading. And then we can
>>> start fixing the cases that we find.
>>
>> I am totally fine with this. The question I'm hoping to have answered
>> is, "then what?" We already have concrete examples of module
>> autoloading that will still be need to stay unprivileged and as-is in
>> the kernel (even if we remove others). What do you see as the way to
>> allow an admin to turn those off?
>
> Just thinking about the DCCP case, where networking people actually
> knew it was pretty deprecated and had no real maintainer, I think one
> thing to look at would be simply a per-module flag.
>
> That kind of thing should be fairly easy to implement, along the same
> lines as the module license - it just sets a flag in the ELF section
> headers.
>
> With something like that, we literally could make the default be "no
> autoloading except for root", and then just mark the modules that we
> think are ok and well maintained.
>
> Sure, if you then do a lock-down mode that makes that flag parsing
> stricter, then that's a separate thing. But I suspect we definitely
> could be a lot stricter on a per-module basis, and do it in a way
> where a normal user wouldn't even notice that we've limited the
> autoloading.
>
> But the first step would be to just add some noise. And even with the
> per-module flag, at first it would only suppress the noise (ie we'd
> still _allow_ loading other modules, they'd just be noisy). Then, if
> nobody hollers, maybe the next kernel release we'll make it actually
> enforce the flag.
>
On a slight tangent to all of this.
The issue of reducing attack surface has also come up in another thread
and it was suggested there that we make some ns_capable calls
conditionally capable calls so certain pieces of code won't be available
in user namespaces, when we know there is a bug but don't yet have a
good fix rolled out yet.
Which again brings us to attack surface reduction.
I was wondering if perhaps a better way to do some of that, might be to
have places in the kernel where we could use something like ftrace to
add a permission check at a well known functions boundaries and fail the
functions when we want to reduce the attack surface.
It is not as elegant as adding a maintenance status to a module and only
allowing actively maintained modules to be auto-loaded. But perhaps
with a few more eyes the idea can be fleshed out to something generally useful.
Eric
next prev parent reply other threads:[~2017-11-29 4:26 UTC|newest]
Thread overview: 218+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-27 17:18 [kernel-hardening] [PATCH v5 next 0/5] Improve Module autoloading infrastructure Djalal Harouni
2017-11-27 17:18 ` Djalal Harouni
2017-11-27 17:18 ` Djalal Harouni
2017-11-27 17:18 ` [kernel-hardening] [PATCH v5 next 1/5] modules:capabilities: add request_module_cap() Djalal Harouni
2017-11-27 17:18 ` Djalal Harouni
2017-11-27 17:18 ` Djalal Harouni
2017-11-27 18:48 ` [kernel-hardening] " Randy Dunlap
2017-11-27 18:48 ` Randy Dunlap
2017-11-27 18:48 ` Randy Dunlap
2017-11-27 21:35 ` [kernel-hardening] " Djalal Harouni
2017-11-27 21:35 ` Djalal Harouni
2017-11-27 21:35 ` Djalal Harouni
2017-11-28 19:14 ` [kernel-hardening] " Luis R. Rodriguez
2017-11-28 19:14 ` Luis R. Rodriguez
2017-11-28 19:14 ` Luis R. Rodriguez
2017-11-28 20:11 ` [kernel-hardening] " Kees Cook
2017-11-28 20:11 ` Kees Cook
2017-11-28 20:11 ` Kees Cook
2017-11-28 21:16 ` [kernel-hardening] " Luis R. Rodriguez
2017-11-28 21:16 ` Luis R. Rodriguez
2017-11-28 21:16 ` Luis R. Rodriguez
2017-11-28 21:33 ` [kernel-hardening] " Djalal Harouni
2017-11-28 21:33 ` Djalal Harouni
2017-11-28 21:33 ` Djalal Harouni
2017-11-28 22:18 ` [kernel-hardening] " Luis R. Rodriguez
2017-11-28 22:18 ` Luis R. Rodriguez
2017-11-28 22:18 ` Luis R. Rodriguez
2017-11-28 22:52 ` [kernel-hardening] " Djalal Harouni
2017-11-28 22:52 ` Djalal Harouni
2017-11-28 22:52 ` Djalal Harouni
2017-11-28 21:39 ` [kernel-hardening] " Kees Cook
2017-11-28 21:39 ` Kees Cook
2017-11-28 21:39 ` Kees Cook
2017-11-28 22:12 ` [kernel-hardening] " Luis R. Rodriguez
2017-11-28 22:12 ` Luis R. Rodriguez
2017-11-28 22:12 ` Luis R. Rodriguez
2017-11-28 22:18 ` [kernel-hardening] " Kees Cook
2017-11-28 22:18 ` Kees Cook
2017-11-28 22:18 ` Kees Cook
2017-11-28 22:48 ` [kernel-hardening] " Luis R. Rodriguez
2017-11-28 22:48 ` Luis R. Rodriguez
2017-11-28 22:48 ` Luis R. Rodriguez
2017-11-29 7:49 ` [kernel-hardening] " Michal Kubecek
2017-11-29 7:49 ` Michal Kubecek
2017-11-29 7:49 ` Michal Kubecek
2017-11-29 13:46 ` [kernel-hardening] " Alan Cox
2017-11-29 13:46 ` Alan Cox
2017-11-29 13:46 ` Alan Cox
2017-11-29 14:50 ` [kernel-hardening] " David Miller
2017-11-29 14:50 ` David Miller
2017-11-29 14:50 ` David Miller
2017-11-29 15:54 ` [kernel-hardening] " Theodore Ts'o
2017-11-29 15:54 ` Theodore Ts'o
2017-11-29 15:54 ` Theodore Ts'o
2017-11-29 15:58 ` [kernel-hardening] " David Miller
2017-11-29 15:58 ` David Miller
2017-11-29 15:58 ` David Miller
2017-11-29 16:29 ` [kernel-hardening] " Theodore Ts'o
2017-11-29 16:29 ` Theodore Ts'o
2017-11-29 16:29 ` Theodore Ts'o
2017-11-29 22:45 ` [kernel-hardening] " Linus Torvalds
2017-11-29 22:45 ` Linus Torvalds
2017-11-29 22:45 ` Linus Torvalds
2017-11-30 0:06 ` [kernel-hardening] " Kees Cook
2017-11-30 0:06 ` Kees Cook
2017-11-30 0:06 ` Kees Cook
2017-11-29 17:28 ` [kernel-hardening] " Serge E. Hallyn
2017-11-29 17:28 ` Serge E. Hallyn
2017-11-29 17:28 ` Serge E. Hallyn
2017-11-30 0:35 ` [kernel-hardening] " Theodore Ts'o
2017-11-30 0:35 ` Theodore Ts'o
2017-11-30 0:35 ` Theodore Ts'o
2017-11-30 17:17 ` [kernel-hardening] " Serge E. Hallyn
2017-11-30 17:17 ` Serge E. Hallyn
2017-11-30 17:17 ` Serge E. Hallyn
2017-11-28 20:18 ` [kernel-hardening] " Djalal Harouni
2017-11-28 20:18 ` Djalal Harouni
2017-11-28 20:18 ` Djalal Harouni
2017-11-27 17:18 ` [kernel-hardening] [PATCH v5 next 2/5] modules:capabilities: add cap_kernel_module_request() permission check Djalal Harouni
2017-11-27 17:18 ` Djalal Harouni
2017-11-27 17:18 ` Djalal Harouni
2017-11-30 2:05 ` [kernel-hardening] " Luis R. Rodriguez
2017-11-30 2:05 ` Luis R. Rodriguez
2017-11-30 2:05 ` Luis R. Rodriguez
2017-11-27 17:18 ` [kernel-hardening] [PATCH v5 next 3/5] modules:capabilities: automatic module loading restriction Djalal Harouni
2017-11-27 17:18 ` Djalal Harouni
2017-11-27 17:18 ` Djalal Harouni
2017-11-30 1:23 ` [kernel-hardening] " Luis R. Rodriguez
2017-11-30 1:23 ` Luis R. Rodriguez
2017-11-30 1:23 ` Luis R. Rodriguez
2017-11-30 12:22 ` [kernel-hardening] " Djalal Harouni
2017-11-30 12:22 ` Djalal Harouni
2017-11-30 12:22 ` Djalal Harouni
2017-11-27 17:18 ` [kernel-hardening] [PATCH v5 next 4/5] modules:capabilities: add a per-task modules auto-load mode Djalal Harouni
2017-11-27 17:18 ` Djalal Harouni
2017-11-27 17:18 ` Djalal Harouni
2017-11-27 17:18 ` [kernel-hardening] [PATCH v5 next 5/5] net: modules: use request_module_cap() to load 'netdev-%s' modules Djalal Harouni
2017-11-27 17:18 ` Djalal Harouni
2017-11-27 17:18 ` Djalal Harouni
2017-11-27 18:44 ` [kernel-hardening] " Linus Torvalds
2017-11-27 18:44 ` Linus Torvalds
2017-11-27 18:44 ` Linus Torvalds
2017-11-27 21:41 ` [kernel-hardening] " Djalal Harouni
2017-11-27 21:41 ` Djalal Harouni
2017-11-27 21:41 ` Djalal Harouni
2017-11-27 22:04 ` [kernel-hardening] " Linus Torvalds
2017-11-27 22:04 ` Linus Torvalds
2017-11-27 22:04 ` Linus Torvalds
2017-11-27 22:59 ` [kernel-hardening] " Kees Cook
2017-11-27 22:59 ` Kees Cook
2017-11-27 22:59 ` Kees Cook
2017-11-27 23:14 ` [kernel-hardening] " Linus Torvalds
2017-11-27 23:14 ` Linus Torvalds
2017-11-27 23:14 ` Linus Torvalds
2017-11-27 23:19 ` [kernel-hardening] " Kees Cook
2017-11-27 23:19 ` Kees Cook
2017-11-27 23:19 ` Kees Cook
2017-11-27 23:35 ` [kernel-hardening] " Linus Torvalds
2017-11-27 23:35 ` Linus Torvalds
2017-11-27 23:35 ` Linus Torvalds
2017-11-28 1:23 ` [kernel-hardening] " Kees Cook
2017-11-28 1:23 ` Kees Cook
2017-11-28 1:23 ` Kees Cook
2017-11-28 12:16 ` [kernel-hardening] " Geo Kozey
2017-11-28 12:16 ` Geo Kozey
2017-11-28 19:32 ` Theodore Ts'o
2017-11-28 19:32 ` Theodore Ts'o
2017-11-28 20:08 ` Kees Cook
2017-11-28 20:08 ` Kees Cook
2017-11-28 20:12 ` Linus Torvalds
2017-11-28 20:12 ` Linus Torvalds
2017-11-28 20:20 ` Kees Cook
2017-11-28 20:20 ` Kees Cook
2017-11-28 20:33 ` Linus Torvalds
2017-11-28 20:33 ` Linus Torvalds
2017-11-28 21:10 ` Djalal Harouni
2017-11-28 21:10 ` Djalal Harouni
2017-11-28 21:33 ` Kees Cook
2017-11-28 21:33 ` Kees Cook
2017-11-28 23:23 ` Theodore Ts'o
2017-11-28 23:23 ` Theodore Ts'o
2017-11-28 23:29 ` Kees Cook
2017-11-28 23:29 ` Kees Cook
2017-11-28 23:49 ` Theodore Ts'o
2017-11-28 23:49 ` Theodore Ts'o
2017-11-29 0:18 ` Kees Cook
2017-11-29 0:18 ` Kees Cook
2017-11-29 6:36 ` Theodore Ts'o
2017-11-29 6:36 ` Theodore Ts'o
2017-11-29 14:46 ` Geo Kozey
2017-11-29 14:46 ` Geo Kozey
2017-12-01 15:22 ` Marcus Meissner
2017-12-01 15:22 ` Marcus Meissner
2017-11-28 23:53 ` Djalal Harouni
2017-11-28 23:53 ` Djalal Harouni
2017-11-28 21:51 ` Geo Kozey
2017-11-28 21:51 ` Geo Kozey
2017-11-28 23:51 ` Linus Torvalds
2017-11-28 23:51 ` Linus Torvalds
2017-11-29 0:17 ` Linus Torvalds
2017-11-29 0:17 ` Linus Torvalds
2017-11-29 0:26 ` Kees Cook
2017-11-29 0:26 ` Kees Cook
2017-11-29 0:50 ` Linus Torvalds
2017-11-29 0:50 ` Linus Torvalds
2017-11-29 4:26 ` Eric W. Biederman [this message]
2017-11-29 4:26 ` Eric W. Biederman
2017-11-29 4:26 ` Eric W. Biederman
2017-11-29 18:30 ` Kees Cook
2017-11-29 18:30 ` Kees Cook
2017-11-29 18:46 ` Linus Torvalds
2017-11-29 18:46 ` Linus Torvalds
2017-11-29 18:53 ` Linus Torvalds
2017-11-29 18:53 ` Linus Torvalds
2017-11-29 21:17 ` Kees Cook
2017-11-29 21:17 ` Kees Cook
2017-11-29 22:14 ` Linus Torvalds
2017-11-29 22:14 ` Linus Torvalds
2017-11-30 0:44 ` Kees Cook
2017-11-30 0:44 ` Kees Cook
2017-11-30 2:08 ` Linus Torvalds
2017-11-30 2:08 ` Linus Torvalds
2017-11-30 6:51 ` Daniel Micay
2017-11-30 6:51 ` Daniel Micay
2017-11-30 8:50 ` Djalal Harouni
2017-11-30 8:50 ` Djalal Harouni
2017-11-30 14:16 ` Theodore Ts'o
2017-11-30 14:16 ` Theodore Ts'o
2017-11-30 14:51 ` Djalal Harouni
2017-11-30 14:51 ` Djalal Harouni
2017-12-01 6:39 ` Daniel Micay
2017-12-01 6:39 ` Daniel Micay
2017-11-29 15:28 ` Geo Kozey
2017-11-29 15:28 ` Geo Kozey
2017-11-27 18:41 ` [kernel-hardening] Re: [PATCH v5 next 0/5] Improve Module autoloading infrastructure Linus Torvalds
2017-11-27 18:41 ` Linus Torvalds
2017-11-27 18:41 ` Linus Torvalds
2017-11-27 19:02 ` [kernel-hardening] " Linus Torvalds
2017-11-27 19:02 ` Linus Torvalds
2017-11-27 19:02 ` Linus Torvalds
2017-11-27 19:12 ` [kernel-hardening] " Linus Torvalds
2017-11-27 19:12 ` Linus Torvalds
2017-11-27 19:12 ` Linus Torvalds
2017-11-27 21:31 ` [kernel-hardening] " Djalal Harouni
2017-11-27 21:31 ` Djalal Harouni
2017-11-27 21:31 ` Djalal Harouni
2017-11-27 19:14 ` [kernel-hardening] " David Miller
2017-11-27 19:14 ` David Miller
2017-11-27 19:14 ` David Miller
2017-11-27 22:31 ` [kernel-hardening] " James Morris
2017-11-27 22:31 ` James Morris
2017-11-27 22:31 ` James Morris
2017-11-27 23:04 ` [kernel-hardening] " Kees Cook
2017-11-27 23:04 ` Kees Cook
2017-11-27 23:04 ` Kees Cook
2017-11-27 23:44 ` [kernel-hardening] " James Morris
2017-11-27 23:44 ` James Morris
2017-11-27 23:44 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87o9nlk8w7.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=geokozey@mailfence.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=maheshb@google.com \
--cc=serge@hallyn.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.