[kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions
From: Djalal Harouni <hidden>
Date: 2017-05-22 19:55:47
Also in:
linux-api, lkml, netdev
On Mon, May 22, 2017 at 6:43 PM, Solar Designer [off-list ref] wrote:
On Mon, May 22, 2017 at 03:49:15PM +0200, Djalal Harouni wrote:quoted
On Mon, May 22, 2017 at 2:08 PM, Solar Designer [off-list ref] wrote:quoted
On Mon, May 22, 2017 at 01:57:03PM +0200, Djalal Harouni wrote:quoted
*) When modules_autoload_mode is set to (2), automatic module loading is disabled for all. Once set, this value can not be changed.What purpose does this securelevel-like property ("Once set, this value can not be changed.") serve here? I think this mode 2 is needed, but without this extra property, which is bypassable by e.g. explicitly loaded kernel modules anyway (and that's OK).My reasoning about "Once set, this value can not be changed" is mainly for: If you have some systems where modules are not updated for any given reason, then the only one who will be able to load a module is an administrator, basically this is a shortcut for: * Apps/services can run with CAP_NET_ADMIN but they are not allowed to auto-load 'netdev' modules. * Explicitly loading modules can be guarded by seccomp filters *per* app, so even if these apps have CAP_SYS_MODULE they won't be able to explicitly load modules, one has to remount some sysctl /proc/ entries read-only here and remove CAP_SYS_ADMIN for all apps anyway. This mainly serves the purpose of these systems that do not receive updates, if I don't want to expose those kernel interfaces what should I do ? then if I want to unload old versions and replace them with new ones what operation should be allowed ? and only real root of the system can do it. Hence, the "Once set, this value can not be changed" is more of a shortcut, also the idea was put in my mind based on how "modules_disabled" is disabled forever, and some other interfaces. I would say: it is easy to handle a transition from 1) "hey this system is still up to date, some features should be exposed" to 2) "this system is not up to date anymore, only root should expose some features..." Hmm, I am not sure if this answers your question ? :-)This answers my question, but in a way that I summarize as "there's no good reason to include this securelevel-like property".
Hmm, sorry I did forget to add in my previous comment that with such systems, CAP_SYS_MODULE can be used to reset the "modules_autoload_mode" sysctl back from mode 2 to mode 1, even if we disable it privileged tasks can be triggered to overwrite the sysctl flag and get it back unless /proc is read-only... that's one of the points, it should not be so easy to relax it.
quoted
I definitively don't want to fall into "modules_disabled" trap where is it too strict! "Once set, this value can not be changed" means for some users do not set it otherwise the system is unusable... Maybe an extra "4" mode for that ? better get it right.I think you should simply exclude this property from mode 2.
Ok, maybe my comment above answers this ? What I was referring to here, is to have one small window where it is disable for privileged and that securelevel-like like property or disable definitively are separated. I don't have a strong opinion here, having a usable system is important.
The module autoloading restrictions aren't meant to reduce root's powers; they're only meant to protect processes from shooting themselves and the system in the foot inadvertently (confused deputy). modules_disabled may be different in that respect, although with the rest of the kernel lacking securelevel-like support the point is moot. We had working securelevel in 2.0.34 through 2.0.40 inclusive, but we've lost it in 2.1+ with cap-bound apparently never becoming as complete a replacement for it and having been lost/broken further in 2.6.25+. I regret this, but that's a different story. Like I say, module autoloading doesn't even fit in with those restrictions - it's about a totally different threat model.
Ok, thanks for the information, so yes it seems we do not have such a consistent way, but this did not block Yama LSM and other sysctl to implement their own cases, maybe it did show that it is not that easy to have a generic securelevel mechanism ? and what we currently have is more practical ? I can't tell here. But we definitively want to block privileged tasks to revert the sysctl mode if the administrator do not want automatic module loading. Thanks! -- tixxdz -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html