From: mcgrof@kernel.org (Luis R. Rodriguez)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()
Date: Tue, 28 Nov 2017 23:18:56 +0100 [thread overview]
Message-ID: <20171128221856.GS729@wotan.suse.de> (raw)
In-Reply-To: <CAEiveUf3Zdw=+MPTHRSRsNq3o9M0XOgnXBVszdsGAPvhyS5wLw@mail.gmail.com>
On Tue, Nov 28, 2017 at 10:33:27PM +0100, Djalal Harouni wrote:
> On Tue, Nov 28, 2017 at 10:16 PM, Luis R. Rodriguez <mcgrof@kernel.org> wrote:
> > On Tue, Nov 28, 2017 at 12:11:34PM -0800, Kees Cook wrote:
> >> On Tue, Nov 28, 2017 at 11:14 AM, Luis R. Rodriguez <mcgrof@kernel.org> wrote:
> >> > kmod is just a helper to poke userpsace to load a module, that's it.
> >> >
> >> > The old init_module() and newer finit_module() do the real handy work or
> >> > module loading, and both currently only use may_init_module():
> >> >
> >> > static int may_init_module(void)
> >> > {
> >> > if (!capable(CAP_SYS_MODULE) || modules_disabled)
> >> > return -EPERM;
> >> >
> >> > return 0;
> >> > }
> >> >
> >> > This begs the question:
> >> >
> >> > o If userspace just tries to just use raw finit_module() do we want similar
> >> > checks?
> >> >
> >> > Otherwise, correct me if I'm wrong this all seems pointless.
> >>
> >> Hm? That's direct-loading, not auto-loading. This series is only about
> >> auto-loading.
> >
> > And *all* auto-loading uses aliases? What's the difference between auto-loading
> > and direct-loading?
>
> Not all auto-loading uses aliases, auto-loading is when kernel code
> calls request_module() to loads the feature that was not present,
It seems the actual interest here is system call implicated request_module()
calls? Because there are uses of request_module() which may be module hacks,
and not implicated via system calls.
> and direct-loading in this thread is the direct syscalls like
> finit_module().
OK.
> >> We already have a global sysctl for blocking direct-loading (modules_disabled).
> >
> > My point was that even if you have a CAP_NET_ADMIN check on request_module(),
> > finit_module() will not check for it, so a crafty userspace could still try
> > to just finit_module() directly, and completely then bypass the CAP_NET_ADMIN
> > check.
>
> The finit_module() uses CAP_SYS_MODULE which should allow all modules
> and in this context it should be more privileged than CAP_NET_ADMIN
> which is only for "netdev-%s" (to not load arbitrary modules with it).
>
> finit_module() coming from request_module() always has the
> CAP_NET_ADMIN, hence the check is done before.
But since CAP_SYS_MODULE is more restrictive, what's the point in checking
for CAP_NET_ADMIN?
> > So unless I'm missing something, I see no point in adding extra checks for
> > request_module() but nothing for the respective load_module().
>
> I see, request_module() is called from kernel context which runs in
> init namespace will full capabilities, the spawned userspace modprobe
> will get CAP_SYS_MODULE and all other caps, then after comes modprobe
> and load_module().
Right, so defining the gains of adding this extra check is not very clear
yet. It would seem a benefit exists, what is it?
> Btw as suggested by Linus I will update with request_module_cap() and > I can
> offer my help maintaining these bits too.
Can you start by extending lib/test_module.c and
tools/testing/selftests/kmod/kmod.sh with a proof of concept of the gains here,
as well as ensuring things work as expected ?
Luis
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-11-28 22:18 UTC|newest]
Thread overview: 84+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-27 17:18 [PATCH v5 next 0/5] Improve Module autoloading infrastructure Djalal Harouni
2017-11-27 17:18 ` [PATCH v5 next 1/5] modules:capabilities: add request_module_cap() Djalal Harouni
2017-11-27 18:48 ` Randy Dunlap
2017-11-27 21:35 ` Djalal Harouni
2017-11-28 19:14 ` Luis R. Rodriguez
2017-11-28 20:11 ` Kees Cook
2017-11-28 21:16 ` Luis R. Rodriguez
2017-11-28 21:33 ` Djalal Harouni
2017-11-28 22:18 ` Luis R. Rodriguez [this message]
2017-11-28 22:52 ` Djalal Harouni
2017-11-28 21:39 ` Kees Cook
2017-11-28 22:12 ` Luis R. Rodriguez
2017-11-28 22:18 ` Kees Cook
2017-11-28 22:48 ` Luis R. Rodriguez
2017-11-29 7:49 ` Michal Kubecek
2017-11-29 13:46 ` Alan Cox
2017-11-29 14:50 ` David Miller
2017-11-29 15:54 ` Theodore Ts'o
2017-11-29 15:58 ` David Miller
2017-11-29 16:29 ` Theodore Ts'o
2017-11-29 22:45 ` Linus Torvalds
2017-11-30 0:06 ` Kees Cook
2017-11-29 17:28 ` Serge E. Hallyn
2017-11-30 0:35 ` Theodore Ts'o
2017-11-30 17:17 ` Serge E. Hallyn
2017-11-28 20:18 ` Djalal Harouni
2017-11-27 17:18 ` [PATCH v5 next 2/5] modules:capabilities: add cap_kernel_module_request() permission check Djalal Harouni
2017-11-30 2:05 ` Luis R. Rodriguez
2017-11-27 17:18 ` [PATCH v5 next 3/5] modules:capabilities: automatic module loading restriction Djalal Harouni
2017-11-30 1:23 ` Luis R. Rodriguez
2017-11-30 12:22 ` Djalal Harouni
2017-11-27 17:18 ` [PATCH v5 next 4/5] modules:capabilities: add a per-task modules auto-load mode Djalal Harouni
2017-11-27 17:18 ` [PATCH v5 next 5/5] net: modules: use request_module_cap() to load 'netdev-%s' modules Djalal Harouni
2017-11-27 18:44 ` Linus Torvalds
2017-11-27 21:41 ` Djalal Harouni
2017-11-27 22:04 ` Linus Torvalds
2017-11-27 22:59 ` Kees Cook
2017-11-27 23:14 ` Linus Torvalds
2017-11-27 23:19 ` Kees Cook
2017-11-27 23:35 ` Linus Torvalds
2017-11-28 1:23 ` Kees Cook
2017-11-28 12:16 ` [kernel-hardening] " Geo Kozey
2017-11-28 19:32 ` Theodore Ts'o
2017-11-28 20:08 ` Kees Cook
2017-11-28 20:12 ` Linus Torvalds
2017-11-28 20:20 ` Kees Cook
2017-11-28 20:33 ` Linus Torvalds
2017-11-28 21:10 ` Djalal Harouni
2017-11-28 21:33 ` Kees Cook
2017-11-28 23:23 ` Theodore Ts'o
2017-11-28 23:29 ` Kees Cook
2017-11-28 23:49 ` Theodore Ts'o
2017-11-29 0:18 ` Kees Cook
2017-11-29 6:36 ` Theodore Ts'o
2017-11-29 14:46 ` Geo Kozey
2017-12-01 15:22 ` Marcus Meissner
2017-11-28 23:53 ` Djalal Harouni
2017-11-28 21:51 ` Geo Kozey
2017-11-28 23:51 ` Linus Torvalds
2017-11-29 0:17 ` Linus Torvalds
2017-11-29 0:26 ` Kees Cook
2017-11-29 0:50 ` Linus Torvalds
2017-11-29 4:26 ` Eric W. Biederman
2017-11-29 18:30 ` Kees Cook
2017-11-29 18:46 ` Linus Torvalds
2017-11-29 18:53 ` Linus Torvalds
2017-11-29 21:17 ` Kees Cook
2017-11-29 22:14 ` Linus Torvalds
2017-11-30 0:44 ` Kees Cook
2017-11-30 2:08 ` Linus Torvalds
2017-11-30 6:51 ` Daniel Micay
2017-11-30 8:50 ` Djalal Harouni
2017-11-30 14:16 ` Theodore Ts'o
2017-11-30 14:51 ` Djalal Harouni
2017-12-01 6:39 ` Daniel Micay
2017-11-29 15:28 ` Geo Kozey
2017-11-27 18:41 ` [PATCH v5 next 0/5] Improve Module autoloading infrastructure Linus Torvalds
2017-11-27 19:02 ` Linus Torvalds
2017-11-27 19:12 ` Linus Torvalds
2017-11-27 21:31 ` Djalal Harouni
2017-11-27 19:14 ` David Miller
2017-11-27 22:31 ` James Morris
2017-11-27 23:04 ` Kees Cook
2017-11-27 23:44 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171128221856.GS729@wotan.suse.de \
--to=mcgrof@kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).