From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 526EF1F16B for ; Fri, 5 Jun 2026 18:36:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.173 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780684613; cv=none; b=NybWW8ij4yLstWfP15TyOndgSvcMPT4YvSnc9g2dtxLG9vZg4J5kFwyrAJuwI9VuV9R8evMJcZMEmRHanYPCoLgpVjtwZuije9eObxenuTXevCFkQu+CoOjgWqMcJfDtmGl0x+moBH0hBzCoYaTbqwtfepJ+WkfZCDK1NxDwDdk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780684613; c=relaxed/simple; bh=ZQHe0J07CmP23BW2U5EKlaB3TPIrDh2NZlEnsiDNxHk=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=ow88WaZKWdEkH90pPkO4DtwZzGImvm/eFtNozcGWXik0gxN5MYiFYA6I9MfreA1fMWAK372ko+Xa01JuX2JWTKys2E+JmdF77GziiPrzkFC7+pR0VC4QMDlG29PjdV574H5xiYPVwrd4w/qIoJ3rIfkv+7W1TJ2ez3Lii/YfNaA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=JhzoTCFM; arc=none smtp.client-ip=209.85.214.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="JhzoTCFM" Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-2bf2d865383so123255ad.1 for ; Fri, 05 Jun 2026 11:36:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1780684612; x=1781289412; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=P13RElyEY77N682sCtZ4HPH2+wcRcMGtUhEt/2n1PrE=; b=JhzoTCFMqXHlj+OgFZrURLYyzljpgP3EZYIYSLBDID6328qNmjfVX2VH4IHiDHMdVg ROI4J46S64WfxwgFofxjcEnnDEaZAy3CkWMnhVtvmn7moF/Laq/3+MMqwMX7j7HoZd2b YDrmuNyua90xwQX/UxjbfM9etutoVbvxP6xeN0I711ANdJWwzoV7q9nnhSqPZ3rExPjL XjKNvquz4GFoxa3A9fj4SKZPzhdY3xe/kKgeqBTDHZVN9t0jij8VQhvBi3Iy7NpynoL3 LYdg0uh3XS6ZWBOAp4lyG06iBas7Z9oI3nhFAyelazgi9lUQ0hkA9aqAzjXpEOVmozm6 Ua6g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780684612; x=1781289412; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=P13RElyEY77N682sCtZ4HPH2+wcRcMGtUhEt/2n1PrE=; b=EyA9tLYoNp5eKq6Q/5N5MemqaU8NWuLIE+UfefyK2ILDFJ/D/hnWHLPHI1HK3XRGDH qaN+pI28AHWBIpexsybd5OAKBSzE3ydeSnF5c4LXcCRobr9HWgXnQN0dNWXoqfINNWiD REnE0ChJoxIBzDvDEaV0y53PpXwhHUUj9Nhh9N5MhwF843YNjNGsux7Fbv1cU7EJvw6r 4+GukaARcgkj2J3tiCcH2HZE0HsORBy4lbUmccUTPzf2vcGi/aH4DUUa+ROlaRntCqif cZ/1GdSnnCUehqGHggfQ6OKHXvfl/0WNGVHSgZqJ43DrKoBNiDGMDofLS7Km224O59Gc J7Yw== X-Forwarded-Encrypted: i=1; AFNElJ+FuP6NRz/avfqwF2CxR8zDhhdHp9cRnyjSkbk0mTX2yZ+DkRejZbKS0sUywWfjROmFahj1FA+FYIxu1Sc=@vger.kernel.org X-Gm-Message-State: AOJu0YxQNy/dyySsuknWd5ftaIONVPtyMWcMyR/04kYIgr3Li8KyvneV iwKfj8QowhO8j+AaYkWxeRwDdHfY4Sl8w5B1A+2/PlHOuSBRcs9d3yM/Q/Z+Ku+YJw== X-Gm-Gg: Acq92OElVkNTCLMkqlr1Nnui0ul3nZhWE4FKpt8StSwC8FUVjz60xeod+NpPiOlU8w5 odZbPAb1cRCK3LlX90zVFZjMSEHKanL3fyPSOUqwUNmi6X8wXw3+jezSu7ajjH34CrZjrxR7+1D RFfnBKkir1x8E24s1ZLZUgfyJPhWaNkiBgS9agU0kvynS+dzAf3hKwSpk+woghsVC1okXCCUjVR x0028/WN9Jo36K4XIiSyAdxC+KanEYm5UKqloWHrvEFzUuwl0C9VhsA6YTJpKSwmNpNvrdaJlPC FPeFtAgiZEriR5ByRyqVoeKdKAyYJBFvT1Q+mLzsEA//070aR3B/Tk9fhViGIICITjhk8HmBX30 9Yuif6JwRzM99hf27mjpuOT1mzOVYaF22ZJUxti3dJsLev8w/5SJzccB3Vr09Q0LXWMXFzcSHIF DY6NUyBZQ7hjoCqV+oNXzgBHzUkpcxO7RDgFvSrMn1odoZPE38wq2Ki+gsKIa00TDgOQu8cLNWw D4x3w== X-Received: by 2002:a17:902:e5d2:b0:2c0:b1b0:376e with SMTP id d9443c01a7336-2c1eb742daamr2207405ad.8.1780684611222; Fri, 05 Jun 2026 11:36:51 -0700 (PDT) Received: from google.com (171.46.125.34.bc.googleusercontent.com. [34.125.46.171]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c85df0b315esm8340917a12.26.2026.06.05.11.36.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Jun 2026 11:36:50 -0700 (PDT) Date: Fri, 5 Jun 2026 18:36:46 +0000 From: Sami Tolvanen To: Michal Gorlas , Kees Cook Cc: Jonathan Corbet , Shuah Khan , Luis Chamberlain , Petr Pavlu , Daniel Gomez , Aaron Tomlin , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-modules@vger.kernel.org Subject: Re: [PATCH 0/2] module: restrict module auto-loading to privileged users Message-ID: <20260605183646.GC2939956@google.com> References: <20260515-autoload_restrict-v1-0-40b7c03ddd04@9elements.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260515-autoload_restrict-v1-0-40b7c03ddd04@9elements.com> On Fri, May 15, 2026 at 07:20:18PM +0200, Michal Gorlas wrote: > Add option to restrict the module auto-loading to CAP_SYS_ADMIN. > This is heavily inspired by CONFIG_GRKERNSEC_MODHARDEN of the latest > available Grsecurity patches [1]. Instead of checking whether the > callers' UID is 0, check whether the calling process has CAP_SYS_ADMIN. > The reasoning here is that many modules are autoloaded by systemd > services which are running as privileged users, but do not have UID 0. > While systemd-udevd runs as root, systemd-network (which often > auto-loads a module) for example runs as system user (UID range 6 to > 999). > > When enabled, reduces attack surface where unprivileged users can trigger > vulnerable module to be auto-loaded, to then exploit it. Recent LPEs > (CopyFail [3], DirtyFrag [4]) for example, would have been mitigated > with this option enabled as long as the vulnerable modules are not built-in > (or already loaded at the point of running the exploit). This sounds potentially useful as an optional feature. Kees, you've looked at grsec features in the past, do you have any thoughts about this? Sami