[kernel-hardening] Re: [PATCH v3 1/2] modules:capabilities: automatic module... | linux-security-module

[PATCH v3 0/2] modules:capabilities: automatic module loading restrictions · Djalal Harouni <hidden> · 2017-04-19
[PATCH v3 1/2] modules:capabilities: automatic module loading restriction · Djalal Harouni <hidden> · 2017-04-19
Re: [PATCH v3 1/2] modules:capabilities: automatic module loading restriction · Andy Lutomirski <luto@kernel.org> · 2017-04-19
Re: [PATCH v3 1/2] modules:capabilities: automatic module loading restriction · Ben Hutchings <hidden> · 2017-04-20
Re: [kernel-hardening] Re: [PATCH v3 1/2] modules:capabilities: automatic module loading restriction · Djalal Harouni <hidden> · 2017-04-20
Re: [kernel-hardening] Re: [PATCH v3 1/2] modules:capabilities: automatic module loading restriction · Ben Hutchings <hidden> · 2017-04-20
Re: [kernel-hardening] Re: [PATCH v3 1/2] modules:capabilities: automatic module loading restriction · Djalal Harouni <hidden> · 2017-04-20
Re: [kernel-hardening] Re: [PATCH v3 1/2] modules:capabilities: automatic module loading restriction · Kees Cook <hidden> · 2017-04-20
[PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-04-19
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-04-19
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Andy Lutomirski <luto@kernel.org> · 2017-04-19
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Kees Cook <hidden> · 2017-04-19
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Andy Lutomirski <luto@kernel.org> · 2017-04-20
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Kees Cook <hidden> · 2017-04-21
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Andy Lutomirski <luto@amacapital.net> · 2017-04-21
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Kees Cook <hidden> · 2017-04-21
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Andy Lutomirski <luto@kernel.org> · 2017-04-21
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-04-22
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-04-22
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Andy Lutomirski <luto@kernel.org> · 2017-04-22
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Kees Cook <hidden> · 2017-04-22
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-04-24
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Kees Cook <hidden> · 2017-04-24
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-04-24
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Casey Schaufler <casey@schaufler-ca.com> · 2017-04-21
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Andy Lutomirski <luto@kernel.org> · 2017-04-22
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Casey Schaufler <casey@schaufler-ca.com> · 2017-04-22
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Andy Lutomirski <luto@amacapital.net> · 2017-04-22
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-04-22
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-05-04
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · "Serge E. Hallyn" <serge@hallyn.com> · 2017-05-04
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-05-05
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Andy Lutomirski <luto@kernel.org> · 2017-05-05
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · kbuild test robot <hidden> · 2017-04-20
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Rusty Russell <hidden> · 2017-04-24
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-04-26
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Rusty Russell <hidden> · 2017-04-27
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-04-27

[kernel-hardening] Re: [PATCH v3 1/2] modules:capabilities: automatic module loading restriction

From: Djalal Harouni <hidden>
Date: 2017-04-20 12:45:01
Also in: linux-api, lkml

On Thu, Apr 20, 2017 at 4:22 AM, Ben Hutchings [off-list ref] wrote:

On Thu, 2017-04-20 at 00:20 +0200, Djalal Harouni wrote:
[...]

quoted

+modules_autoload:
+
+A sysctl to control if modules auto-load feature is allowed or not.
+This sysctl complements "modules_disabled" which is for all module
+operations where this flag applies only to automatic module loading.
+Automatic module loading happens when programs request a kernel feature
+that is implemented by an unloaded module, the kernel automatically
+runs the program pointed by "modprobe" sysctl in order to load the
+corresponding module.
+
+When modules_autoload is set to (0), the default, there are no
+restrictions.
+
+When modules_autoload is set to (1), processes must have CAP_SYS_MODULE
+to be able to trigger a module auto-load operation, or CAP_NET_ADMIN
+for modules with a 'netdev-%s' alias.
+
+When modules_autoload is set to (2), automatic module loading is
+disabled for all. Once set, this value can not be changed.

I would expect a parameter 'modules_autoload' to be a boolean, so this
behaviour would be surprising.

What is the point of mode 2?  Why would someone want to set
modules_disabled=0 and modules_autoload=2?

modules_disabled is too restrictive and once set it can't be changed,
maybe that's why not all users use it.

With modules_disabled=0 and modules_autoload=2

* The functionality of the system can still be made available.
* You only disable automatic module loading
* Explicit module load/unload can still happen. Administrators or
privileged programs can still explicitly load modules provide a
feature without rebooting.
* You are able to restrict some applications from inserting new
modules at all by also applying a seccomp filter and removing their
CAP_SYS_MODULE, where explicit load/unload is still available to
others.
* You are able to unload an old bad version of the module without
rebooting, and maybe load the new version.

[...]

quoted

--- a/kernel/module.c
+++ b/kernel/module.c

[...]

quoted

+static int modules_autoload_privileged_access(const char *name)
+{
+     if (capable(CAP_SYS_MODULE))
+             return 0;
+     else if (name && strstr(name, "netdev-") && capable(CAP_NET_ADMIN))

[...]

We want a prefix match, so use strncmp() not strstr().

Indeed, will fix it.

Thanks!

Ben.

--
Ben Hutchings
It is easier to change the specification to fit the program than vice
versa.



-- 
tixxdz
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help