Received: by 10.223.185.116 with SMTP id b49csp258630wrg; Thu, 8 Mar 2018 17:01:11 -0800 (PST) X-Google-Smtp-Source: AG47ELvOZ0I4DcrmcBV1ZCyHXCoS5Odi53IiZCMTooG++pMqA2IBoL6wJK33LEzWAgVWt+sg4+1X X-Received: by 10.99.0.207 with SMTP id 198mr22939053pga.364.1520557271189; Thu, 08 Mar 2018 17:01:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520557271; cv=none; d=google.com; s=arc-20160816; b=hOFAy367YjOA3TCHFWJaXN6MjjFRpW6Jfz938axslcH+a5xxiIeO038pDYH3FMHfAk QjJnemPPyu82sKe/1vi5gzr7iJVnoTAcWNw4wK8xOiusC6RzaCWPcD4ec4eDb63oA0un NhuQdbpp8rLRCAEbo+r50NEJ3+IkryZI3HtyxaWQGuVk8peP2idA3A9h2FtSCF0FmPjR nRu+sTzJqq0ChhEPa+uJBX+9K6PzVQcoLnlcmhi6OuPei0YTcs72OlXuufi7cZ814WvE dEudOUjAehFisrp3mPFYOht6c0ousrMuu4c9s113OsvOK4QIsLjRkMIwNGKZc41pHjk3 logw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=nWFo+89pSuBF3Rz8efXBMWfRY9FKuoLtyRqGObO56LQ=; b=zeHY7PXFMnWvjaU0Pr+DQfVgopX2NEPLNuCvIlIYMe1Z4JU7rfwtRBezBjW5+SqH8j gkUvdo6rjbGNIovXIPWWTNxzP+66siaNyt3sDZcEeGxb0dcTNOO68qVjN0oXALvPZpaH tV9sm+ToFtlGu3Xh+84dFJQBMTGcW1cwPTrM36NwovHEbgVQZmOY1lnqvQ0ektV3NA6A i57WkqRJ1gPWJhZLg8DBgMT0ajf8KJpsnY7aPOeM3CE7ZPvaLjLv/NledcOSTslgNgRt vuXVg6wWo6+yqWqvVXyuEfw0ANW4GQQdmyVf8b7Ot858Xpb3gEcU5LZoca2QWlXr6v8s neSQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=D7YX5pxP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j5si3544207pfi.225.2018.03.08.17.00.56; Thu, 08 Mar 2018 17:01:11 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=D7YX5pxP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932099AbeCIBAA (ORCPT + 99 others); Thu, 8 Mar 2018 20:00:00 -0500 Received: from mail-it0-f65.google.com ([209.85.214.65]:37832 "EHLO mail-it0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751215AbeCIA76 (ORCPT ); Thu, 8 Mar 2018 19:59:58 -0500 Received: by mail-it0-f65.google.com with SMTP id k79-v6so873610ita.2 for ; Thu, 08 Mar 2018 16:59:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=nWFo+89pSuBF3Rz8efXBMWfRY9FKuoLtyRqGObO56LQ=; b=D7YX5pxPFucY9OTSdpN56RzOkVZU3BgHiB4uJ8WoC5LyNR7T6yvws00zc3kbTL0ZxS em3MTtBhyrSuhKi1jSBucy2tokIwxZ5cILD6n+DChvYQ7NB9HNWS27v6kL5+Emd7mn5b ZELQF5FBdWDpawdqLMwa3bXqzDzG/FDmrU1q4o/yjyOOcF0oa8ppyiT35IO49rAmG9gd TLoHL3mYf0cqjWk0+lLHOUkbo2fofDIkPM/XlDPBan5w2mwbGsgNCvVN+W+gl3E0weFW enh9Hl5aua8irqynF/3qu1HvmlauXOoT7Ut22OG+mnBPrsthi3pIHtijsJwlbiZzxgk7 Qwuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=nWFo+89pSuBF3Rz8efXBMWfRY9FKuoLtyRqGObO56LQ=; b=o2Kf8peLNwvr8qhgPqSxyFanCvj9opPvEs92MniGOkVAf0kov0W1eT+CMq4d7LJnCq eHH1ODcXFhIqH5arHFh02bMHVkT4QYNjXthyjlwsfM1ynIok+EzdgGwz0uI7Bff7jEpd iYPKRb7nMT2u1CHMF3gUD7BoAleXEAVneYHL4nX2povSrd9RjSd2FhTMAHAuUwqZVezT rBMmrSwBFvGGpiK/RowO8UiRyby5OtKeKa+hCWPP2UIhwBu7YJII1D3ejUZqZzi/VViz SEOXxYQPvEFR6L/vRLE6sNQEjYgVVGoEgXP8mygeOc3KfsSZOuDBp9jo+v0UtQaFXtgP GeBA== X-Gm-Message-State: AElRT7G3VuKmPg7ZpzIf9Bz6QfwrC9sFpQ59aF+q5LHqeeHuidUqXtoU wr6bg86O02j749gZNFwsri5ysxdPnV0jmVG9MifziA== X-Received: by 10.36.221.212 with SMTP id t203mr1128569itf.54.1520557197337; Thu, 08 Mar 2018 16:59:57 -0800 (PST) MIME-Version: 1.0 Received: by 10.2.137.101 with HTTP; Thu, 8 Mar 2018 16:59:36 -0800 (PST) In-Reply-To: References: <20180306013457.1955486-1-ast@kernel.org> From: Andy Lutomirski Date: Fri, 9 Mar 2018 00:59:36 +0000 Message-ID: Subject: Re: [PATCH net-next] modules: allow modprobe load regular elf binaries To: Kees Cook Cc: Alexei Starovoitov , Djalal Harouni , Al Viro , "David S. Miller" , Daniel Borkmann , Linus Torvalds , Greg KH , "Luis R. Rodriguez" , Network Development , LKML , kernel-team@fb.com, Linux API Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Mar 9, 2018 at 12:24 AM, Kees Cook wrote: > How is this not marked [RFC]? :) > > On Mon, Mar 5, 2018 at 5:34 PM, Alexei Starovoitov wrote: >> As the first step in development of bpfilter project [1] the request_module() >> code is extended to allow user mode helpers to be invoked. Idea is that >> user mode helpers are built as part of the kernel build and installed as >> traditional kernel modules with .ko file extension into distro specified >> location, such that from a distribution point of view, they are no different >> than regular kernel modules. Thus, allow request_module() logic to load such >> user mode helper (umh) modules via: >> >> request_module("foo") -> >> call_umh("modprobe foo") -> >> sys_finit_module(FD of /lib/modules/.../foo.ko) -> >> call_umh(struct file) > > Yikes. This means autoloaded artbitrary exec() now, instead of > autoloading just loading arbitrary modules? That seems extremely bad. > This just extends all the problems we've had with defining security > boundaries with modules out to umh too. I would need some major > convincing that this can be made safe. > > It's easy for container to trigger arbitrary module loading, so if it > can find/use a similar one of the bugs we've seen in the past to > redirect the module loading we don't just get new module-created > attack surface added to the kernel, but we again get arbitrary ELF > running in the root ns (not in the container). And in the insane case > of a container with CAP_SYS_MODULE, this is a trivial escape without > even needing to build a special kernel module: the root ns, running > with all privileges runs an arbitrary ELF. > > As it stands, I have to NAK this. At the very least, you need to solve > the execution environment problems here: the ELF should run with no > greater privileges than what loaded the module, and very importantly, > must not be allowed to bypass these checks through autoloading. What > _triggered_ the autoload must be the environment, not the "modprobe", > since that's running with full privileges. Basically, we need to fix > module autoloading first, or at least a significant subset of the > problems: https://lkml.org/lkml/2017/11/27/754 I disagree. If we're going to somehow have ELF binaries that pretend to be modules, then they should run with high privilege and, more importantly, should run in a context independent of whoever triggered autoloading. Also, I don't see how this is any more exploitable than any other init_module(). If someone has CAP_SYS_MODULE or autoload privileges and they can trigger init_module() on a file, then they're granting maximum privilege to the contents of that file. So who cares if that file is a kernel module or an ELF binary? Alexei, can you give an example use case? I'm sure it's upthread somewhere, but I'm having trouble finding it. Also, I just tested this concept a bit. Depmod invoked explicitly on an ET_EXEC with a.ko extension gets mad, but depmod -a on a kernel that has a "module" like that seems to work fine. Go figure.