Thread (44 messages) 44 messages, 13 authors, 2011-03-26

Re: [PATCH] don't allow CAP_NET_ADMIN to load non-netdev kernel modules

From: Ben Hutchings <hidden>
Date: 2011-02-25 19:30:22
Also in: lkml

On Fri, 2011-02-25 at 11:16 -0800, David Miller wrote:
From: Ben Hutchings <redacted>
Date: Fri, 25 Feb 2011 19:07:59 +0000
quoted
You realise that module loading doesn't actually run in the context of
request_module(), right?
Why is that a barrier?  We could simply pass a capability mask into
request_module if necessary.

It's an implementation detail, and not a deterrant to my suggested
scheme.
It's not an implementation detail.  modprobe currently runs with full
capabilities; your proposal requires its capabilities to be limited to
those of the capabilities of the process that triggered the
request_module() (plus, presumably, CAP_SYS_MODULE).

Now modprobe doesn't have CAP_DAC_OVERRIDE and can't read modprobe
configuration files that belong to users other than root.

It doesn't have CAP_SYS_MKNOD so it can't run hooks that call mknod.

etc.

Ben.

-- 
Ben Hutchings, Senior Software Engineer, Solarflare Communications
Not speaking for my employer; that's the marketing department's job.
They asked us to note that Solarflare product names are trademarked.
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help