[PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

[PATCH v3 0/2] modules:capabilities: automatic module loading restrictions · Djalal Harouni <hidden> · 2017-04-19
[PATCH v3 1/2] modules:capabilities: automatic module loading restriction · Djalal Harouni <hidden> · 2017-04-19
Re: [PATCH v3 1/2] modules:capabilities: automatic module loading restriction · Andy Lutomirski <luto@kernel.org> · 2017-04-19
Re: [PATCH v3 1/2] modules:capabilities: automatic module loading restriction · Ben Hutchings <hidden> · 2017-04-20
Re: [kernel-hardening] Re: [PATCH v3 1/2] modules:capabilities: automatic module loading restriction · Djalal Harouni <hidden> · 2017-04-20
Re: [kernel-hardening] Re: [PATCH v3 1/2] modules:capabilities: automatic module loading restriction · Ben Hutchings <hidden> · 2017-04-20
Re: [kernel-hardening] Re: [PATCH v3 1/2] modules:capabilities: automatic module loading restriction · Djalal Harouni <hidden> · 2017-04-20
Re: [kernel-hardening] Re: [PATCH v3 1/2] modules:capabilities: automatic module loading restriction · Kees Cook <hidden> · 2017-04-20
[PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-04-19
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-04-19
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Andy Lutomirski <luto@kernel.org> · 2017-04-19
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Kees Cook <hidden> · 2017-04-19
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Andy Lutomirski <luto@kernel.org> · 2017-04-20
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Kees Cook <hidden> · 2017-04-21
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Andy Lutomirski <luto@amacapital.net> · 2017-04-21
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Kees Cook <hidden> · 2017-04-21
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Andy Lutomirski <luto@kernel.org> · 2017-04-21
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-04-22
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-04-22
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Andy Lutomirski <luto@kernel.org> · 2017-04-22
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Kees Cook <hidden> · 2017-04-22
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-04-24
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Kees Cook <hidden> · 2017-04-24
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-04-24
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Casey Schaufler <casey@schaufler-ca.com> · 2017-04-21
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Andy Lutomirski <luto@kernel.org> · 2017-04-22
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Casey Schaufler <casey@schaufler-ca.com> · 2017-04-22
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Andy Lutomirski <luto@amacapital.net> · 2017-04-22
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-04-22
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-05-04
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · "Serge E. Hallyn" <serge@hallyn.com> · 2017-05-04
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-05-05
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Andy Lutomirski <luto@kernel.org> · 2017-05-05
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · kbuild test robot <hidden> · 2017-04-20
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Rusty Russell <hidden> · 2017-04-24
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-04-26
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Rusty Russell <hidden> · 2017-04-27
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-04-27

From: Kees Cook <hidden>
Date: 2017-04-24 18:02:53
Also in: linux-api, lkml

On Mon, Apr 24, 2017 at 7:25 AM, Djalal Harouni [off-list ref] wrote:

On Sat, Apr 22, 2017 at 9:29 PM, Kees Cook [off-list ref] wrote:

quoted

On Fri, Apr 21, 2017 at 11:51 PM, Andy Lutomirski [off-list ref] wrote:

quoted

On Fri, Apr 21, 2017 at 5:12 PM, Djalal Harouni [off-list ref] wrote:

quoted

On Sat, Apr 22, 2017 at 1:51 AM, Andy Lutomirski [off-list ref] wrote:

[...]

quoted

* DCCP use after free CVE-2017-6074
* n_hldc CVE-2017-2636
* XFRM framework CVE-2017-7184
* L2TPv3 CVE-2016-10200

Most of these need CAP_NET_ADMIN to be autoloaded, however we also
need CAP_NET_ADMIN for other things... therefore it is better to have
an extra facility that could coexist with CAP_NET_ADMIN and other
sandbox features.

I agree that the feature is important, but I think your implementation
is needlessly dangerous.  I imagine that the main uses that you care
about involve containers.  How about doing it in a safer way that
works for containers?  I can think of a few.  For example:

1. A sysctl that, if set, prevents autoloading outside the root
userns.  This isn't very flexible at all, but it might work.

2. Your patch, but require privilege within the calling namespace to
set the prctl.

How about CAP_SYS_ADMIN || no_new_privs?

-Kees

Yes I can update as per Andy suggestion to require privileges inside
the calling namespace to set prctl. Other options that are not prctl
based have more variants, that make them hard to use.

So I would got with CAP_SYS_ADMIN in the calling userns ||
no_new_privs , I would have said CAP_SYS_MODULE in the userns but it
seems better to standardize on CAP_SYS_ADMIN to set the prctl.

Andy's concern is that it would provide an escalation from SYS_MODULE
to SYS_ADMIN through some privileged process being tricked through a
missing API provided by modules, so we have to use either SYS_ADMIN ||
nnp.

-Kees

-- 
Kees Cook
Pixel Security
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help