From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alexei Starovoitov Subject: Re: [PATCH net-next] modules: allow modprobe load regular elf binaries Date: Fri, 9 Mar 2018 10:58:06 -0800 Message-ID: <77cdc9f5-b51c-a18d-5422-763cc4e76279@fb.com> References: <87478c51-59a7-f6ac-1fb2-f3ca2dcf658b@fb.com> <20180309.133509.1275903267249306409.davem@davemloft.net> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8"; format=flowed Content-Transfer-Encoding: 7bit Cc: David Miller , Andy Lutomirski , Alexei Starovoitov , Djalal Harouni , Al Viro , Daniel Borkmann , Greg KH , "Luis R. Rodriguez" , Network Development , LKML , kernel-team , Linux API To: Linus Torvalds , Kees Cook Return-path: In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org On 3/9/18 10:50 AM, Linus Torvalds wrote: > On Fri, Mar 9, 2018 at 10:43 AM, Kees Cook wrote: >> >> Module loading (via kernel_read_file()) already uses >> deny_write_access(), and so does do_open_execat(). As long as module >> loading doesn't call allow_write_access() before the execve() has >> started in the new implementation, I think we'd be covered here. > > No. kernel_read_file() only does it *during* the read. > > So there's a huge big honking gap between the two. > > Also, the second part of my suggestion was to be entirely synchronous > with the whole execution of the process, and do it within the "we do > mutual exclusion fo rmodules with the same name" logic. > > Note that Andrei's patch uses UMH_WAIT_EXEC. That's basically > "vfork+exec" - it only waits for the exec to have started, it doesn't > wait for the whole thing. It's not waiting for the whole thing, because once bpfilter starts it stays running/sleeping because it's stateful. It needs normal malloc-ed memory to keep the state of iptable->bpf translation that it will use later during subsequent translation calls. Theoretically it can use bpf maps pinned in kernel memory to keep this state, but then it's non-swappable. It's better to keep bpfilter state in its own user memory.