Received: by 10.223.171.82 with SMTP id r18csp316534wrc; Thu, 8 Mar 2018 17:45:30 -0800 (PST) X-Google-Smtp-Source: AG47ELsRUH58V2jq4VafCpKIuUxWS4umdlzW1ms+u6ubg1UWdUl6fY8p7ckgsxgDrMGoxDWkTgtW X-Received: by 2002:a17:902:7889:: with SMTP id q9-v6mr26376997pll.218.1520559930395; Thu, 08 Mar 2018 17:45:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520559930; cv=none; d=google.com; s=arc-20160816; b=fDa9Fi135Ut26b8p8bhJ94rb4fVXk1vw2cp5fbv5u2DsmHw/JiYwCPFQznQPX5aRwA C5N+ejbeZcIlAq8AUvYEPPT2pGUv3AYobC1T962v4Y0b1g2wLnjyPQ2AMpn5QWT8R8IY dxR+3bnUcwDXqXfRwuko25l+SGUPfISu8MH1JrOD/5RaPSjkSFZW4mzBTsMg1hhnZbUO TlaEQ0nRIDCyj8AUbylbqCDKb0tIy9BFWgCmjHb2ZJXkyhe4zlKtwiWHEP+u6ohXf0rg d9kWSoF908T0wUANggrspmdE4b2UuPKaPCZ713hTItstYV/3C4eULm5DVUtLU6rsWKZ7 ZnZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=q2QHtIUB5a/7XAi6Ubnw8XeORTJwtlwTQjK2rZv3YQc=; b=eUIu4AYTZaLBKgirkEm3QKLzdWbuuGLAc5vs1eC5DMFyQwGNkF0pu9/5hDt7+nO4d4 IVvhJi+wq9iF/VptFfNbZ20fJuzXHqWRZD17AEKl0kDAQp21pY51WOJUbV2n0pEIVrBh gdeGw36s3EQwqioYtYu5KAlLMbT2OxIYDrI1vMAZwZfzSDjG89ZtMaISVeomZag6qtXQ t+SS8fcCb7/S5r83zNsog4+JemIhQ4d9KHBtB3ohbr8XOEATUsVgg6BFYti7oMSWgbi1 RJDKD4zbb/EjlyUy2s8V3uvzPX7jqp2WrFQRurNdexmA9ifvnsW6CFnvFqiYfBI/KLRP ynxg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=Cf6vQJro; dkim=fail header.i=@chromium.org header.s=google header.b=n6p9Cbr6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c87si16663498pfk.369.2018.03.08.17.45.07; Thu, 08 Mar 2018 17:45:30 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=Cf6vQJro; dkim=fail header.i=@chromium.org header.s=google header.b=n6p9Cbr6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751877AbeCIBoP (ORCPT + 99 others); Thu, 8 Mar 2018 20:44:15 -0500 Received: from mail-vk0-f66.google.com ([209.85.213.66]:40465 "EHLO mail-vk0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751148AbeCIBoN (ORCPT ); Thu, 8 Mar 2018 20:44:13 -0500 Received: by mail-vk0-f66.google.com with SMTP id n82so1195158vkf.7 for ; Thu, 08 Mar 2018 17:44:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=q2QHtIUB5a/7XAi6Ubnw8XeORTJwtlwTQjK2rZv3YQc=; b=Cf6vQJrozNavE+JdmwIaDvwh9sEG1NX4W3d/NBMX5JQUn8amMdzAoKxpF4jowHmMHz hKw/Zy2Myr4/ec1x11r+6N40lf9gcsp9B2YcNLG0ZuQX61qIHcWolb8r9Xp2si5cGpxE KFgwgKUalPlgADEsrY1Y25glOaFiFzJnJi2/h7zj8D4ixHO1FYib1svqnj7IRwqOekPe QyOCVIb9GLiGu5SnIdODW0+rnwI4xlHpHzO4x7DVeOj8ksXeZnv5XNdoGDvwV1ZaqNh+ cIk2Jq0lvdxgzPtCWSe4arETzRgURn3vOU8cGznoSO8MfPoOOXDacZk/xsknipdYSeD1 4KJg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=q2QHtIUB5a/7XAi6Ubnw8XeORTJwtlwTQjK2rZv3YQc=; b=n6p9Cbr6vnIh03M31tzzIj8ibg7JK8J6nYrG9y1bmGMlVJPJ/9KDpn4VdUPetMHQzt qH9QkLv+WCQQgl7mDACt91z7HpSbDMmWOfxfbjROscR08s/7qhjy/sJ7Lg6voO2sIIoP +Zy04PecBgDLgDMAKssdtoMHRxf59hHtAZIfM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=q2QHtIUB5a/7XAi6Ubnw8XeORTJwtlwTQjK2rZv3YQc=; b=spqLzan0e1eHwk1mYjm4C/LIoRX+F2nnpFAVoWjpKWDdswEoDijRlShned2/L41P0K j04S+ZkIVPWdhF1jb+ifBiyRV0k6H1Ujy2+vjQtKtOlGJoEHaQbnribAwfPZn8ab8h/r l0U1doBzzgjYfSv0d53omo6oCCLIORgYNNLUItbyLu0X8exJaqpaTTggu9iGuGUO1hVE oepzpw873zQHoo9P4R8SdM8Z3j3Nhwoa7J+x1NOreMjODUfPaWahr1NMdCeYtr+rJ+pA 3MgSF/SXl8Yh55CgD6AqDx3RTdm5vMtPx5MPzI539dopFudqMkWVGDaibzrdl3iHx/i7 Q6ug== X-Gm-Message-State: APf1xPDTMx95CCUFKM+Jgc/CQWOp/Feze1e/6eRfoGbU5hH/chjYSGd1 /fTfvPTpplKwz2KE4l4Ea87pITTdGDAaFDrhKZaH6A== X-Received: by 10.31.192.210 with SMTP id q201mr20195512vkf.7.1520559852036; Thu, 08 Mar 2018 17:44:12 -0800 (PST) MIME-Version: 1.0 Received: by 10.31.242.140 with HTTP; Thu, 8 Mar 2018 17:44:11 -0800 (PST) In-Reply-To: References: <20180306013457.1955486-1-ast@kernel.org> From: Kees Cook Date: Thu, 8 Mar 2018 17:44:11 -0800 X-Google-Sender-Auth: 1zOOJGdak4Hlt3i-vBPTre3KJag Message-ID: Subject: Re: [PATCH net-next] modules: allow modprobe load regular elf binaries To: Linus Torvalds Cc: Andy Lutomirski , Alexei Starovoitov , Djalal Harouni , Al Viro , "David S. Miller" , Daniel Borkmann , Greg KH , "Luis R. Rodriguez" , Network Development , LKML , kernel-team , Linux API Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 8, 2018 at 5:38 PM, Linus Torvalds wrote: > On Thu, Mar 8, 2018 at 4:59 PM, Andy Lutomirski wrote: >> >> Also, I don't see how this is any more exploitable than any other >> init_module(). > > Absolutely. If Kees doesn't trust the files to be loaded, an > executable - even if it's running with root privileges and in the > initns - is still fundamentally weaker than a kernel module. > > So I don't understand the security argument AT ALL. It's nonsensical. > The executable loading does all the same security checks that the > module loading does, including the signing check. > > And the whole point is that we can now do things with building and > loading a ebpf rule instead of having a full module. My concerns are mostly about crossing namespaces. If a container triggers an autoload, the result runs in the init_ns. So, really, there's nothing new from my perspective, except that it's in userspace instead of in the kernel. Perhaps it's an orthogonal concern. -Kees -- Kees Cook Pixel Security