Received: by 10.223.171.82 with SMTP id r18csp316534wrc;
        Thu, 8 Mar 2018 17:45:30 -0800 (PST)
X-Google-Smtp-Source: AG47ELsRUH58V2jq4VafCpKIuUxWS4umdlzW1ms+u6ubg1UWdUl6fY8p7ckgsxgDrMGoxDWkTgtW
X-Received: by 2002:a17:902:7889:: with SMTP id q9-v6mr26376997pll.218.1520559930395;
        Thu, 08 Mar 2018 17:45:30 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1520559930; cv=none;
        d=google.com; s=arc-20160816;
        b=fDa9Fi135Ut26b8p8bhJ94rb4fVXk1vw2cp5fbv5u2DsmHw/JiYwCPFQznQPX5aRwA
         C5N+ejbeZcIlAq8AUvYEPPT2pGUv3AYobC1T962v4Y0b1g2wLnjyPQ2AMpn5QWT8R8IY
         dxR+3bnUcwDXqXfRwuko25l+SGUPfISu8MH1JrOD/5RaPSjkSFZW4mzBTsMg1hhnZbUO
         TlaEQ0nRIDCyj8AUbylbqCDKb0tIy9BFWgCmjHb2ZJXkyhe4zlKtwiWHEP+u6ohXf0rg
         d9kWSoF908T0wUANggrspmdE4b2UuPKaPCZ713hTItstYV/3C4eULm5DVUtLU6rsWKZ7
         ZnZw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=q2QHtIUB5a/7XAi6Ubnw8XeORTJwtlwTQjK2rZv3YQc=;
        b=eUIu4AYTZaLBKgirkEm3QKLzdWbuuGLAc5vs1eC5DMFyQwGNkF0pu9/5hDt7+nO4d4
         IVvhJi+wq9iF/VptFfNbZ20fJuzXHqWRZD17AEKl0kDAQp21pY51WOJUbV2n0pEIVrBh
         gdeGw36s3EQwqioYtYu5KAlLMbT2OxIYDrI1vMAZwZfzSDjG89ZtMaISVeomZag6qtXQ
         t+SS8fcCb7/S5r83zNsog4+JemIhQ4d9KHBtB3ohbr8XOEATUsVgg6BFYti7oMSWgbi1
         RJDKD4zbb/EjlyUy2s8V3uvzPX7jqp2WrFQRurNdexmA9ifvnsW6CFnvFqiYfBI/KLRP
         ynxg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=Cf6vQJro;
       dkim=fail header.i=@chromium.org header.s=google header.b=n6p9Cbr6;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c87si16663498pfk.369.2018.03.08.17.45.07;
        Thu, 08 Mar 2018 17:45:30 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=Cf6vQJro;
       dkim=fail header.i=@chromium.org header.s=google header.b=n6p9Cbr6;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751877AbeCIBoP (ORCPT <rfc822;arandomawesomegeek@gmail.com>
        + 99 others); Thu, 8 Mar 2018 20:44:15 -0500
Received: from mail-vk0-f66.google.com ([209.85.213.66]:40465 "EHLO
        mail-vk0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751148AbeCIBoN (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 8 Mar 2018 20:44:13 -0500
Received: by mail-vk0-f66.google.com with SMTP id n82so1195158vkf.7
        for <linux-kernel@vger.kernel.org>; Thu, 08 Mar 2018 17:44:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=q2QHtIUB5a/7XAi6Ubnw8XeORTJwtlwTQjK2rZv3YQc=;
        b=Cf6vQJrozNavE+JdmwIaDvwh9sEG1NX4W3d/NBMX5JQUn8amMdzAoKxpF4jowHmMHz
         hKw/Zy2Myr4/ec1x11r+6N40lf9gcsp9B2YcNLG0ZuQX61qIHcWolb8r9Xp2si5cGpxE
         KFgwgKUalPlgADEsrY1Y25glOaFiFzJnJi2/h7zj8D4ixHO1FYib1svqnj7IRwqOekPe
         QyOCVIb9GLiGu5SnIdODW0+rnwI4xlHpHzO4x7DVeOj8ksXeZnv5XNdoGDvwV1ZaqNh+
         cIk2Jq0lvdxgzPtCWSe4arETzRgURn3vOU8cGznoSO8MfPoOOXDacZk/xsknipdYSeD1
         4KJg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=q2QHtIUB5a/7XAi6Ubnw8XeORTJwtlwTQjK2rZv3YQc=;
        b=n6p9Cbr6vnIh03M31tzzIj8ibg7JK8J6nYrG9y1bmGMlVJPJ/9KDpn4VdUPetMHQzt
         qH9QkLv+WCQQgl7mDACt91z7HpSbDMmWOfxfbjROscR08s/7qhjy/sJ7Lg6voO2sIIoP
         +Zy04PecBgDLgDMAKssdtoMHRxf59hHtAZIfM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=q2QHtIUB5a/7XAi6Ubnw8XeORTJwtlwTQjK2rZv3YQc=;
        b=spqLzan0e1eHwk1mYjm4C/LIoRX+F2nnpFAVoWjpKWDdswEoDijRlShned2/L41P0K
         j04S+ZkIVPWdhF1jb+ifBiyRV0k6H1Ujy2+vjQtKtOlGJoEHaQbnribAwfPZn8ab8h/r
         l0U1doBzzgjYfSv0d53omo6oCCLIORgYNNLUItbyLu0X8exJaqpaTTggu9iGuGUO1hVE
         oepzpw873zQHoo9P4R8SdM8Z3j3Nhwoa7J+x1NOreMjODUfPaWahr1NMdCeYtr+rJ+pA
         3MgSF/SXl8Yh55CgD6AqDx3RTdm5vMtPx5MPzI539dopFudqMkWVGDaibzrdl3iHx/i7
         Q6ug==
X-Gm-Message-State: APf1xPDTMx95CCUFKM+Jgc/CQWOp/Feze1e/6eRfoGbU5hH/chjYSGd1
        /fTfvPTpplKwz2KE4l4Ea87pITTdGDAaFDrhKZaH6A==
X-Received: by 10.31.192.210 with SMTP id q201mr20195512vkf.7.1520559852036;
 Thu, 08 Mar 2018 17:44:12 -0800 (PST)
MIME-Version: 1.0
Received: by 10.31.242.140 with HTTP; Thu, 8 Mar 2018 17:44:11 -0800 (PST)
In-Reply-To: <CA+55aFwJPDub+tdShCgeTz3UejeskVE7_x+eQLq75mCjYPyP8w@mail.gmail.com>
References: <20180306013457.1955486-1-ast@kernel.org> <CAGXu5j+Q=S5sw9N5avyByxi2ekM6povT5Tajjhdb6D9g9ggKxQ@mail.gmail.com>
 <CALCETrX=Vfk1T-XegwnjtUqeEsyUFXH1744d0yGkufQvDA5xkQ@mail.gmail.com> <CA+55aFwJPDub+tdShCgeTz3UejeskVE7_x+eQLq75mCjYPyP8w@mail.gmail.com>
From:   Kees Cook <keescook@chromium.org>
Date:   Thu, 8 Mar 2018 17:44:11 -0800
X-Google-Sender-Auth: 1zOOJGdak4Hlt3i-vBPTre3KJag
Message-ID: <CAGXu5j+B4wgT3ovynAxa1zwCeROfN5zK45tL1FUnFh0sg8M5AA@mail.gmail.com>
Subject: Re: [PATCH net-next] modules: allow modprobe load regular elf binaries
To:     Linus Torvalds <torvalds@linux-foundation.org>
Cc:     Andy Lutomirski <luto@amacapital.net>,
        Alexei Starovoitov <ast@kernel.org>,
        Djalal Harouni <tixxdz@gmail.com>,
        Al Viro <viro@zeniv.linux.org.uk>,
        "David S. Miller" <davem@davemloft.net>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Greg KH <gregkh@linuxfoundation.org>,
        "Luis R. Rodriguez" <mcgrof@kernel.org>,
        Network Development <netdev@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        kernel-team <kernel-team@fb.com>,
        Linux API <linux-api@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Mar 8, 2018 at 5:38 PM, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
> On Thu, Mar 8, 2018 at 4:59 PM, Andy Lutomirski <luto@amacapital.net> wrote:
>>
>> Also, I don't see how this is any more exploitable than any other
>> init_module().
>
> Absolutely. If Kees doesn't trust the files to be loaded, an
> executable - even if it's running with root privileges and in the
> initns - is still fundamentally weaker than a kernel module.
>
> So I don't understand the security argument AT ALL. It's nonsensical.
> The executable loading does all the same security checks that the
> module loading does, including the signing check.
>
> And the whole point is that we can now do things with building and
> loading a ebpf rule instead of having a full module.

My concerns are mostly about crossing namespaces. If a container
triggers an autoload, the result runs in the init_ns. So, really,
there's nothing new from my perspective, except that it's in userspace
instead of in the kernel.

Perhaps it's an orthogonal concern.

-Kees

-- 
Kees Cook
Pixel Security