[PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

[PATCH v3 0/2] modules:capabilities: automatic module loading restrictions · Djalal Harouni <hidden> · 2017-04-19
[PATCH v3 1/2] modules:capabilities: automatic module loading restriction · Djalal Harouni <hidden> · 2017-04-19
Re: [PATCH v3 1/2] modules:capabilities: automatic module loading restriction · Andy Lutomirski <luto@kernel.org> · 2017-04-19
Re: [PATCH v3 1/2] modules:capabilities: automatic module loading restriction · Ben Hutchings <hidden> · 2017-04-20
Re: [kernel-hardening] Re: [PATCH v3 1/2] modules:capabilities: automatic module loading restriction · Djalal Harouni <hidden> · 2017-04-20
Re: [kernel-hardening] Re: [PATCH v3 1/2] modules:capabilities: automatic module loading restriction · Ben Hutchings <hidden> · 2017-04-20
Re: [kernel-hardening] Re: [PATCH v3 1/2] modules:capabilities: automatic module loading restriction · Djalal Harouni <hidden> · 2017-04-20
Re: [kernel-hardening] Re: [PATCH v3 1/2] modules:capabilities: automatic module loading restriction · Kees Cook <hidden> · 2017-04-20
[PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-04-19
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-04-19
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Andy Lutomirski <luto@kernel.org> · 2017-04-19
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Kees Cook <hidden> · 2017-04-19
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Andy Lutomirski <luto@kernel.org> · 2017-04-20
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Kees Cook <hidden> · 2017-04-21
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Andy Lutomirski <luto@amacapital.net> · 2017-04-21
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Kees Cook <hidden> · 2017-04-21
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Andy Lutomirski <luto@kernel.org> · 2017-04-21
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-04-22
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-04-22
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Andy Lutomirski <luto@kernel.org> · 2017-04-22
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Kees Cook <hidden> · 2017-04-22
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-04-24
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Kees Cook <hidden> · 2017-04-24
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-04-24
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Casey Schaufler <casey@schaufler-ca.com> · 2017-04-21
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Andy Lutomirski <luto@kernel.org> · 2017-04-22
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Casey Schaufler <casey@schaufler-ca.com> · 2017-04-22
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Andy Lutomirski <luto@amacapital.net> · 2017-04-22
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-04-22
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-05-04
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · "Serge E. Hallyn" <serge@hallyn.com> · 2017-05-04
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-05-05
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Andy Lutomirski <luto@kernel.org> · 2017-05-05
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · kbuild test robot <hidden> · 2017-04-20
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Rusty Russell <hidden> · 2017-04-24
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-04-26
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Rusty Russell <hidden> · 2017-04-27
Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction · Djalal Harouni <hidden> · 2017-04-27

From: luto@kernel.org (Andy Lutomirski)
Date: 2017-05-05 16:19:14
Also in: linux-api, lkml

On Thu, May 4, 2017 at 6:07 AM, Djalal Harouni [off-list ref] wrote:

On Sat, Apr 22, 2017 at 2:17 PM, Djalal Harouni [off-list ref] wrote:

quoted

On Sat, Apr 22, 2017 at 1:28 AM, Andy Lutomirski [off-list ref] wrote:

[...]

quoted

My point is that all of these need some way to handle configuration
and inheritance, and I don't think that a bunch of per-task prctls is
the right way.  As just an example, saying that interactive users can
autoload modules but other users can't, or that certain systemd
services can, etc, might be nice.  Linus already complained that he
(i.e. user "torvalds" or whatever) should be able to profile the
kernel but that other uids should not be able to.

Neat, maybe this could already be achieved with this interface and
systemd-logind,  "ModulesAutoloadUsers=andy" in logind.conf where
"andy" is the only logged-in user able to trigger and autoload kernel
modules. However maybe we should not restrict too much other bits or
functionality of the other users, please let me will follow up later
on it.

quoted

I personally like my implicit_rights idea, and it might be interesting
to prototype it.

Andy following on the idea of per user settings, I'm curious did you
manage to make some advance on how to store the user settings ? the
user database format is old and not extensible, there was cgmanager or
other libcgroup but for resources, and no simple thing for such
restrictions example: "RestrictLinuxModules=user" that will prevent
such users from making/loading extra Linux features/modules that are
not already available...

I figured that user code would figure it out somehow.  Text config file?

There is another odd way it could be configured: just leave the inodes
around in /dev/rights with appropriate permissions.  Some startup
script could re-instantiate them with the same permissions (via a
syscall that does that atomically).
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help