Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S945410AbdDTMpB (ORCPT ); Thu, 20 Apr 2017 08:45:01 -0400 Received: from mail-qt0-f196.google.com ([209.85.216.196]:36445 "EHLO mail-qt0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S945391AbdDTMoz (ORCPT ); Thu, 20 Apr 2017 08:44:55 -0400 MIME-Version: 1.0 In-Reply-To: <1492654942.31767.21.camel@decadent.org.uk> References: <1492640420-27345-1-git-send-email-tixxdz@gmail.com> <1492640420-27345-2-git-send-email-tixxdz@gmail.com> <1492654942.31767.21.camel@decadent.org.uk> From: Djalal Harouni Date: Thu, 20 Apr 2017 14:44:53 +0200 Message-ID: Subject: Re: [kernel-hardening] Re: [PATCH v3 1/2] modules:capabilities: automatic module loading restriction To: Ben Hutchings Cc: Linux Kernel Mailing List , Andy Lutomirski , Kees Cook , Andrew Morton , "Serge E. Hallyn" , kernel-hardening@lists.openwall.com, LSM List , Linux API , Dongsu Park , Casey Schaufler , James Morris , Paul Moore , Tetsuo Handa , Greg Kroah-Hartman , Jonathan Corbet , Jessica Yu , Rusty Russell , Arnaldo Carvalho de Melo , Mauro Carvalho Chehab , Ingo Molnar , Zendyani , Peter Zijlstra Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2519 Lines: 77 On Thu, Apr 20, 2017 at 4:22 AM, Ben Hutchings wrote: > On Thu, 2017-04-20 at 00:20 +0200, Djalal Harouni wrote: > [...] >> +modules_autoload: >> + >> +A sysctl to control if modules auto-load feature is allowed or not. >> +This sysctl complements "modules_disabled" which is for all module >> +operations where this flag applies only to automatic module loading. >> +Automatic module loading happens when programs request a kernel feature >> +that is implemented by an unloaded module, the kernel automatically >> +runs the program pointed by "modprobe" sysctl in order to load the >> +corresponding module. >> + >> +When modules_autoload is set to (0), the default, there are no >> +restrictions. >> + >> +When modules_autoload is set to (1), processes must have CAP_SYS_MODULE >> +to be able to trigger a module auto-load operation, or CAP_NET_ADMIN >> +for modules with a 'netdev-%s' alias. >> + >> +When modules_autoload is set to (2), automatic module loading is >> +disabled for all. Once set, this value can not be changed. > > I would expect a parameter 'modules_autoload' to be a boolean, so this > behaviour would be surprising. > > What is the point of mode 2? Why would someone want to set > modules_disabled=0 and modules_autoload=2? modules_disabled is too restrictive and once set it can't be changed, maybe that's why not all users use it. With modules_disabled=0 and modules_autoload=2 * The functionality of the system can still be made available. * You only disable automatic module loading * Explicit module load/unload can still happen. Administrators or privileged programs can still explicitly load modules provide a feature without rebooting. * You are able to restrict some applications from inserting new modules at all by also applying a seccomp filter and removing their CAP_SYS_MODULE, where explicit load/unload is still available to others. * You are able to unload an old bad version of the module without rebooting, and maybe load the new version. > [...] >> --- a/kernel/module.c >> +++ b/kernel/module.c > [...] >> +static int modules_autoload_privileged_access(const char *name) >> +{ >> + if (capable(CAP_SYS_MODULE)) >> + return 0; >> + else if (name && strstr(name, "netdev-") && capable(CAP_NET_ADMIN)) > [...] > > We want a prefix match, so use strncmp() not strstr(). Indeed, will fix it. Thanks! > Ben. > > -- > Ben Hutchings > It is easier to change the specification to fit the program than vice > versa. > -- tixxdz