From: Ben Hutchings <bhutchings@solarflare.com>
To: Eric Paris <eparis@redhat.com>
Cc: "Serge E. Hallyn" <serge.hallyn@ubuntu.com>,
Eric Paris <eparis@parisplace.org>,
Vasiliy Kulikov <segoon@openwall.com>,
linux-kernel@vger.kernel.org, mjt@tls.msk.ru, arnd@arndb.de,
mirqus@gmail.com, netdev@vger.kernel.org,
David Miller <davem@davemloft.net>,
kuznet@ms2.inr.ac.ru, pekkas@netcore.fi, jmorris@namei.org,
yoshfuji@linux-ipv6.org, kaber@trash.net, eric.dumazet@gmail.com,
therbert@google.com, xiaosuo@gmail.com, jesse@nicira.com,
kees.cook@canonical.com, eugene@redhat.com,
dan.j.rosenberg@gmail.com, akpm@linux-foundation.org,
Greg KH <greg@kroah.com>, Stephen Smalley <sds@tycho.nsa.gov>,
LSM List <linux-security-module@vger.kernel.org>,
Daniel J Walsh <dwalsh@redhat.com>,
David Howells <dhowells@redhat.com>
Subject: Re: [PATCH v2] net: don't allow CAP_NET_ADMIN to load non-netdev kernel modules
Date: Thu, 24 Mar 2011 18:33:04 +0000 [thread overview]
Message-ID: <1300991584.2689.35.camel@bwh-desktop> (raw)
In-Reply-To: <1300989839.2398.17.camel@localhost.localdomain>
On Thu, 2011-03-24 at 14:03 -0400, Eric Paris wrote:
> On Thu, 2011-03-24 at 10:37 -0500, Serge E. Hallyn wrote:
> > Quoting Eric Paris (eparis@parisplace.org):
> > > On Tue, Mar 1, 2011 at 4:33 PM, Vasiliy Kulikov <segoon@openwall.com> wrote:
> > ...
> > > This patch is causing a bit of a problem in Fedora. The problem lies
> >
> > Sorry, what exactly is the problem it is causing? I gather it's
> > spitting out printks? What exactly do the printks say? The patch
> > included at bottom checks for CAP_NET_ADMIN before checking for
> > CAP_SYS_MODULE, so these must be cases which historically always
> > quietly failed, and are now hitting the 'pr_err' which this patch
> > adds?
>
> Not quite. SELinux logs every time an operation is denied. This patch
> means that every time a module is requested which does not exist as
> netdev-* we check CAP_SYS_MODULE. SELinux does not allow CAP_SYS_MODULE
> and thus we get SELinux complaining that tasks are trying to load
> modules.
This is exactly what would have happened before 2.6.32. Unfortunately
the incorrect behaviour introduced in 2.6.32 (CAP_NET_ADMIN allows you
to load any module installed in the usual place) is now present in
basically every current distribution, and it sounds like some of them
now assume that dev_load() no longer requires CAP_SYS_MODULE.
[...]
> I think there are 3 possibilities:
>
> Change SELinux policy so as to not complain when udev/NM/libvirt try to
> check CAP_SYS_MODULE, but that's a bad idea, since if they every try to
> use init_module(2) we won't get denials.
>
> Change this callsite to a _noaudit check. Which is better than above
> but still not great since we wouldn't get a denial log if anybody had
> tried to load xfs....
There are no evil bits in device or module names, so the kernel can't
tell whether the attempt should be logged. But then, adding some sort
of policy option for whether to audit CAP_SYS_MODULE use here strikes me
as over-engineering. Just make a decision based on what SELinux users
seem to prefer.
> Figure out a way to stop the calls to "reg" "wifi0" and "virbr0" if they
> don't exist.
>
> I feel like the last one is the best way, but I don't know what a
> solution could look like....
This really has to be done in userland, where these names are being
invented. Though I suspect the usual way to check whether an interface
exists would be SIOCGIFINDEX, which calls dev_load()! An alternate
would be to check whether /sys/class/net/<name> exists, but I seem to
recall that /sys/class is somewhat deprecated.
Ben.
--
Ben Hutchings, Senior Software Engineer, Solarflare
Not speaking for my employer; that's the marketing department's job.
They asked us to note that Solarflare product names are trademarked.
next prev parent reply other threads:[~2011-03-24 18:33 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-24 15:12 module loading with CAP_NET_ADMIN Vasiliy Kulikov
2011-02-24 16:34 ` Ben Hutchings
2011-02-25 12:30 ` Vasiliy Kulikov
2011-02-25 15:14 ` [PATCH] don't allow CAP_NET_ADMIN to load non-netdev kernel modules Vasiliy Kulikov
2011-02-25 17:25 ` Valdis.Kletnieks
2011-02-25 17:47 ` Vasiliy Kulikov
2011-02-25 17:48 ` Ben Hutchings
2011-02-25 18:47 ` David Miller
2011-02-25 19:02 ` Vasiliy Kulikov
2011-02-25 19:05 ` David Miller
2011-02-25 19:07 ` Ben Hutchings
2011-02-25 19:16 ` David Miller
2011-02-25 19:30 ` Ben Hutchings
2011-02-25 19:43 ` David Miller
2011-02-25 19:53 ` Ben Hutchings
2011-02-25 20:37 ` David Miller
2011-02-25 20:38 ` Ben Hutchings
2011-02-25 20:59 ` Michał Mirosław
2011-02-27 20:22 ` Arnd Bergmann
2011-02-28 9:29 ` Michael Tokarev
2011-02-28 9:51 ` Vasiliy Kulikov
2011-02-28 19:23 ` David Miller
2011-03-01 19:48 ` [PATCH] net: " Vasiliy Kulikov
2011-03-01 20:13 ` Ben Hutchings
2011-03-01 21:33 ` [PATCH v2] " Vasiliy Kulikov
2011-03-02 7:15 ` Michael Tokarev
2011-03-09 22:06 ` Vasiliy Kulikov
2011-03-09 22:09 ` David Miller
2011-03-09 22:53 ` James Morris
2011-03-10 9:49 ` Vasiliy Kulikov
2011-03-02 16:01 ` Kees Cook
2011-03-02 19:39 ` Jake Edge
2011-03-02 19:43 ` Vasiliy Kulikov
2011-03-02 19:49 ` Jake Edge
2011-03-02 20:18 ` Vasiliy Kulikov
2011-03-02 20:38 ` Jake Edge
2011-03-02 20:40 ` Jake Edge
2011-03-22 20:47 ` Eric Paris
2011-03-24 15:37 ` Serge E. Hallyn
2011-03-24 18:03 ` Eric Paris
2011-03-24 18:33 ` Ben Hutchings [this message]
2011-03-24 20:26 ` Serge E. Hallyn
2011-03-24 21:39 ` Stephen Hemminger
2011-03-24 21:46 ` David Miller
2011-03-24 21:57 ` Serge E. Hallyn
2011-03-24 22:15 ` Eric Paris
2011-03-24 21:57 ` Greg KH
2011-03-26 10:35 ` Vasiliy Kulikov
2011-02-27 11:44 ` [PATCH] " Vasiliy Kulikov
2011-02-27 23:18 ` David Miller
2011-02-27 23:19 ` David Miller
2011-02-25 15:29 ` module loading with CAP_NET_ADMIN Michael Tokarev
2011-02-25 15:57 ` Vasiliy Kulikov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1300991584.2689.35.camel@bwh-desktop \
--to=bhutchings@solarflare.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=dan.j.rosenberg@gmail.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dwalsh@redhat.com \
--cc=eparis@parisplace.org \
--cc=eparis@redhat.com \
--cc=eric.dumazet@gmail.com \
--cc=eugene@redhat.com \
--cc=greg@kroah.com \
--cc=jesse@nicira.com \
--cc=jmorris@namei.org \
--cc=kaber@trash.net \
--cc=kees.cook@canonical.com \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mirqus@gmail.com \
--cc=mjt@tls.msk.ru \
--cc=netdev@vger.kernel.org \
--cc=pekkas@netcore.fi \
--cc=sds@tycho.nsa.gov \
--cc=segoon@openwall.com \
--cc=serge.hallyn@ubuntu.com \
--cc=therbert@google.com \
--cc=xiaosuo@gmail.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox