Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1042287AbdDVGwP (ORCPT ); Sat, 22 Apr 2017 02:52:15 -0400 Received: from mail.kernel.org ([198.145.29.136]:54830 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1040590AbdDVGwN (ORCPT ); Sat, 22 Apr 2017 02:52:13 -0400 MIME-Version: 1.0 In-Reply-To: References: <1492640420-27345-1-git-send-email-tixxdz@gmail.com> <1492640420-27345-3-git-send-email-tixxdz@gmail.com> From: Andy Lutomirski Date: Fri, 21 Apr 2017 23:51:44 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction To: Djalal Harouni Cc: Andy Lutomirski , Kees Cook , Linux Kernel Mailing List , Andrew Morton , "Serge E. Hallyn" , "kernel-hardening@lists.openwall.com" , LSM List , Linux API , Dongsu Park , Casey Schaufler , James Morris , Paul Moore , Tetsuo Handa , Greg Kroah-Hartman , Jonathan Corbet , Jessica Yu , Rusty Russell , Arnaldo Carvalho de Melo , Mauro Carvalho Chehab , Ingo Molnar , belakhdar abdeldjalil , Peter Zijlstra Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2731 Lines: 64 On Fri, Apr 21, 2017 at 5:12 PM, Djalal Harouni wrote: > On Sat, Apr 22, 2017 at 1:51 AM, Andy Lutomirski wrote: > [...] >>>> I personally like my implicit_rights idea, and it might be interesting >>>> to prototype it. >>> >>> I don't like blocking a needed feature behind a large super-feature >>> that doesn't exist yet. We'd be able to refactor this code into using >>> such a thing in the future, so I'd prefer to move ahead with this >>> since it would stop actual exploits. >> >> I don't think the super-feature is so hard, and I think we should not >> add the per-task thing the way it's done in this patch. Let's not add >> per-task things where the best argument for their security is "not >> sure how it would be exploited". > > Actually the XFRM framework CVE-2017-7184 [1] is one real example, of > course there are others. The exploit was used on a generic distro > during a security contest that distro is Ubuntu. That distro will > never provide a module autoloading restriction by default to not harm > it's users. Consumers or containers/sandboxes then can run their > confined apps using such facilities. > > These bugs will stay in embedded devices that use these generic > distros for ever. > >> Anyway, I think the sysctl is really the important bit. The per-task >> setting is icing on the cake IMO. One upon a time autoload was more >> important, but these days modaliases are supposed to do most of the >> work. I bet that modern distros don't need unprivileged autoload at >> all. > > Actually I think they do and we can't just change that. Users may > depend on it, it is a well established facility. > > Now the other problem is CAP_NET_ADMIN which does lot of things, it is > more like the CAP_SYS_ADMIN. > > This is a quick list that I got from only the past months, I'm pretty > sure there are more: > > * DCCP use after free CVE-2017-6074 > * n_hldc CVE-2017-2636 > * XFRM framework CVE-2017-7184 > * L2TPv3 CVE-2016-10200 > > Most of these need CAP_NET_ADMIN to be autoloaded, however we also > need CAP_NET_ADMIN for other things... therefore it is better to have > an extra facility that could coexist with CAP_NET_ADMIN and other > sandbox features. > I agree that the feature is important, but I think your implementation is needlessly dangerous. I imagine that the main uses that you care about involve containers. How about doing it in a safer way that works for containers? I can think of a few. For example: 1. A sysctl that, if set, prevents autoloading outside the root userns. This isn't very flexible at all, but it might work. 2. Your patch, but require privilege within the calling namespace to set the prctl. 3. A per-user-ns sysctl.