From: Tycho Andersen <tycho@tycho.pizza>
To: Topi Miettinen <toiwoton@gmail.com>
Cc: linux-modules <linux-modules@vger.kernel.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
"linux-hardening@vger.kernel.org"
<linux-hardening@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: Per-process flag set via prctl() to deny module loading?
Date: Mon, 10 Apr 2023 15:25:53 -0600 [thread overview]
Message-ID: <ZDR+4R4AKfnBcMOu@tycho.pizza> (raw)
In-Reply-To: <4017c904-9918-3e0c-b687-f55cfc5c4f4d@gmail.com>
On Mon, Apr 10, 2023 at 11:47:16PM +0300, Topi Miettinen wrote:
> On 10.4.2023 16.36, Tycho Andersen wrote:
> > On Mon, Apr 10, 2023 at 01:06:00PM +0300, Topi Miettinen wrote:
> > > I'd propose to add a per-process flag to irrevocably deny any loading of
> > > kernel modules for the process and its children. The flag could be set (but
> > > not unset) via prctl() and for unprivileged processes, only when
> > > NoNewPrivileges is also set. This would be similar to CAP_SYS_MODULE, but
> > > unlike capabilities, there would be no issues with namespaces since the flag
> > > isn't namespaced.
> > >
> > > The implementation should be very simple.
> > >
> > > Preferably the flag, when configured, would be set by systemd, Firejail and
> > > maybe also container managers. The expectation would be that the permission
> > > to load modules would be retained only by udev and where SUID needs to be
> > > allowed (NoNewPrivileges unset).
> >
> > You can do something like this today via STATIC_USERMODEHELPER without
> > the need for kernel patches. It is a bit heavyweight for a
> > general-purpose system though.
>
> So the user mode helper would be launched whenever there is a module request
> and it would check whether the process is allowed to load modules or not?
Yes, exactly.
> Does it know which process caused the module to be loaded and what were its
> credentials at that time?
It doesn't know which process caused the module load, which is kind of
unfortunate. It looks like you could stick it in the environment in
kernel/kmod.c:call_modprobe() without breaking too many things,
though.
Tycho
next prev parent reply other threads:[~2023-04-10 21:26 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-10 10:06 Per-process flag set via prctl() to deny module loading? Topi Miettinen
2023-04-10 13:36 ` Tycho Andersen
2023-04-10 20:47 ` Topi Miettinen
2023-04-10 21:25 ` Tycho Andersen [this message]
2023-04-10 18:37 ` Greg KH
2023-04-10 21:04 ` Topi Miettinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZDR+4R4AKfnBcMOu@tycho.pizza \
--to=tycho@tycho.pizza \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-modules@vger.kernel.org \
--cc=toiwoton@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox