Thread (83 messages) 83 messages, 14 authors, 2017-12-01

[PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

From: Michal Kubecek <hidden>
Date: 2017-11-29 07:50:01
Also in: lkml, netdev 

On Tue, Nov 28, 2017 at 11:48:49PM +0100, Luis R. Rodriguez wrote:
On Tue, Nov 28, 2017 at 02:18:18PM -0800, Kees Cook wrote:
quoted
On Tue, Nov 28, 2017 at 2:12 PM, Luis R. Rodriguez [off-list ref] wrote:
quoted
On Tue, Nov 28, 2017 at 01:39:58PM -0800, Kees Cook wrote:
quoted
On Tue, Nov 28, 2017 at 1:16 PM, Luis R. Rodriguez [off-list ref] wrote:
quoted
And *all* auto-loading uses aliases? What's the difference
between auto-loading and direct-loading?
The difference is the process privileges. Unprivilged autoloading
(e.g. int n_hdlc = N_HDLC; ioctl(fd,
TIOCSETD, &n_hdlc)), triggers a privileged call to finit_module()
under CAP_SYS_MODULE.
Ah, so system call implicated request_module() calls.
Yup. Unprivileged user does something that ultimately hits a
request_module() in the kernel. Then the kernel calls out with the
usermode helper (which has CAP_SYS_MODULE) and calls finit_module().
Thanks, using this terminology is much better to understand than
auto-loading, given it does make it clear an unprivileged call was one
that initiated the request_module() call, there are many uses of
request_module() which *are* privileged.
quoted
quoted
OK and since CAP_SYS_MODULE is much more restrictive one could
argue, what's the point here?
The goal is to block an unprivileged user from being able to trigger a
module load without blocking root from loading modules directly.
I see now. Do we have an audit of all system calls which implicate a
request_module() call? Networking is a good example for sure to start
off with but I was curious if we have a grasp of how wide spread this
could be.
I'm not sure it makes sense to classify this by syscalls. In networking,
request_module() can be triggered e.g. by a netlink message (genetlink
family lookup is an example not needing any privileges) so that one of
the syscalls would be sendmsg().

Michal Kubecek
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help