From: Eric Paris <eparis@redhat.com>
To: Neil Horman <nhorman@tuxdriver.com>
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
linux-security-module@vger.kernel.org, sds@tycho.nsa.gov,
davem@davemloft.net, shemminger@linux-foundation.org,
kees@ubuntu.com, morgan@kernel.org, serue@us.ibm.com,
casey@schaufler-ca.com, dwlash@redhat.com
Subject: Re: module loading permissions and request_module permission inconsistencies
Date: Mon, 10 Aug 2009 16:48:59 -0400 [thread overview]
Message-ID: <1249937339.2501.80.camel@dhcp231-106.rdu.redhat.com> (raw)
In-Reply-To: <20090810202308.GA15390@hmsreliant.think-freely.org>
On Mon, 2009-08-10 at 16:23 -0400, Neil Horman wrote:
> On Mon, Aug 10, 2009 at 03:45:13PM -0400, Eric Paris wrote:
> > 1) remove CAP_SYS_MODULE from the networking code and instead check
> > CAP_NET_ADMIN. Maybe CAP_NET_ADMIN is already being checked and I'll
> > just remove the capable call altogether but at least I can more
> > intelligently limit the powers of these processes and they will still be
> > root limited according to DAC permissions like they are today.
> >
> Would this have any adverse effect on how user space sees this working.
> Intuitively I would think that if you wanted to load a module (directly or
> indirectly, via an iptables command or whatnot), you would need CAP_SYS_MODULE
> capabilities on the calling process, not just CAP_NET_ADMIN. I honestly don't
> know the answer here, I'm just raising the question.
While that might make intuitive sense, it's actually proving to be a bad
idea to use the same capability for direct and indirect module loading
(especially considering we have 125 other places in the kernel where you
can do indirect module loading without any security check) And believe
me, if someone suggests I move a CAP_SYS_MODULE check down into
__request_module I'll scream about what a horrible idea that is (and
then laugh at them behind their back).
While I think there should be some check in __request_module I don't
think it should be CAP_SYS_MODULE.
CAP_NET_ADMIN at least limits us to root and in all reality to the same
situation everyone is in today. I just checked every single selinux
domain that grants CAP_SYS_MODULE already grants CAP_NET_ADMIN, so we
can somewhat safely say that nothing (on a fedora system at least) would
break with this change.
-Eric
next prev parent reply other threads:[~2009-08-10 20:48 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-10 19:45 module loading permissions and request_module permission inconsistencies Eric Paris
2009-08-10 20:23 ` Neil Horman
2009-08-10 20:48 ` Eric Paris [this message]
2009-08-10 23:25 ` Neil Horman
2009-08-11 1:29 ` Eric Paris
2009-08-12 23:48 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1249937339.2501.80.camel@dhcp231-106.rdu.redhat.com \
--to=eparis@redhat.com \
--cc=casey@schaufler-ca.com \
--cc=davem@davemloft.net \
--cc=dwlash@redhat.com \
--cc=kees@ubuntu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=morgan@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=sds@tycho.nsa.gov \
--cc=serue@us.ibm.com \
--cc=shemminger@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).