Received: by 10.223.185.82 with SMTP id b18csp54420wrg; Thu, 8 Mar 2018 19:07:42 -0800 (PST) X-Google-Smtp-Source: AG47ELtyDErCl2dVYZIaDbJZ5BPk9ShZvQXTbYvdAIoSlgy1hMxSFBUAKE6WyrI8sOE0LXgC0OUv X-Received: by 2002:a17:902:b683:: with SMTP id c3-v6mr25927711pls.154.1520564862491; Thu, 08 Mar 2018 19:07:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520564862; cv=none; d=google.com; s=arc-20160816; b=wrXHAsNLYGRBZDkLBWXlM/NCWX4HXc523jOtrR2ttWLP5+Bct2de8JjHmqskRugGrc /6On7TKCeD4O7WjBP70NqbGZe1Ypms4PdL/zi/swTsZ84uBw9jk+jJ6HezDeYBG4dW03 Bm+kwKoWT8F7CZ1oCyaXVW0lEggcuY50ifV8h/xzqvLJngXFQ2FVdcjMqwRWDeFQyYBJ 6LStCp58nqb+3X1Nj/GWR71Oud5OCqUg0ciZfoxcuKJk3BvZ9Th/3Bgdl0ugjR7Swk7H 2+uDu4FzjTOuWiM6N+va72TZWouYxfb9WB8cKfHMd3M4EmW03/LLo2R4RDWduZXIQBuI Y8ZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=+yluK7jCeX1sHofhJz0akhT1AWvr7iDc0B26Ejxp3C4=; b=WBaXGrnBABghWMkVSRCIHPeXaI7MXxcQR87+n7c2KXWakayZNw4sAw4QGKmm+tIEaz W3/8tGrkRTcIw13B1gDjENp4OkXr3SgRAORwSnVDxPJJWhi2DjsGClxVxs7kgnbUX3TW o3Gxafkxtdh0WkRuaLhTZH3tqtmhRSLn/4vnUr+0GJHVczdg5eT4uMuvW69y2HRHanwt +lBYb/076IEsxH1ZbR3iZGlHbEW0gT6oob+EDx6e9pp9wfyfRp7IFLPtRjnvdGjorBcs L/7cyrQKmxuCCc7z3fbVJz0ElEZBa4IHHTHr7KXzIEV33rGQGqoRsJRDzoTXhvGZsbjv VwSg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=k9U8x0fl; dkim=fail header.i=@linux-foundation.org header.s=google header.b=HHe+pDeL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n3si70923pgp.102.2018.03.08.19.07.26; Thu, 08 Mar 2018 19:07:42 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=k9U8x0fl; dkim=fail header.i=@linux-foundation.org header.s=google header.b=HHe+pDeL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751077AbeCIDGd (ORCPT + 99 others); Thu, 8 Mar 2018 22:06:33 -0500 Received: from mail-io0-f193.google.com ([209.85.223.193]:34235 "EHLO mail-io0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750836AbeCIDGb (ORCPT ); Thu, 8 Mar 2018 22:06:31 -0500 Received: by mail-io0-f193.google.com with SMTP id e7so2035869ioj.1; Thu, 08 Mar 2018 19:06:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=+yluK7jCeX1sHofhJz0akhT1AWvr7iDc0B26Ejxp3C4=; b=k9U8x0flK0VZwBPiLhjqGrXBn2RfkGlEjGPDA5QtfSrYRolqHHfRoGgkfKnEkUiKz7 FEk2axUGdmo3Ep4AsBRO+SJA4X0ZuAfbAf2GqlJ2a2nUK5uQIefimcv+fA6vSza2EJba WSS1PzXRgbTqjovFLwnL+rHebitT2AgCfoHgvdMqWKPTjIiLVPaNWdvm55poXBpqAwmb CRpJ84+Nt5gfAuOVoGXRxw3hqBpi2JfwnTwijmaeqY6m8LQIetZhiCL0y7v0X+LUVa87 KVBEZMLM3KpP+ex1xxU44u/smvqTjbQzEko6EMxnAVdxln7NEtv3uH7N822kS3Yc1IUx 1C4Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=+yluK7jCeX1sHofhJz0akhT1AWvr7iDc0B26Ejxp3C4=; b=HHe+pDeL4bp6vc9j0rhncviDGhsBRiteBrTMZvm4//10r+wINXzE9ASB3XHbpvItfs t/g+J15c7Upw/nXOxFeAL5rIcuyvKd6IKRDFeusLkFwcgcR1JS/o1EjIz6MbHofdwXd1 27euPkTESuPC9X9t0U86bOLSmh6WTD9b/aoJ0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=+yluK7jCeX1sHofhJz0akhT1AWvr7iDc0B26Ejxp3C4=; b=jRvmxA5h+4Lg2W2uy77akAjdP9RmOBBsNqSUcJPulPkGWl+9zbsgbOw+3xSoPpC4Lb HhgB5zaSDTerjQqPG3hkzYFzaMQcjp7A6cukaa6J7vKvUQ93TAvzOfcxMeMJA/w2akoI 5jeug8oO6Q6z3v8vlqY0lQ63l5S7qNh4VmGJ2gLJ8Egatl2v0xgqqymaEqw53VpxS0u7 H9LFKz4t7BPi13ZC/TKZZKU1SRlBHuOaiPkiIBiyuGQ3IVlmgj1jsLKaLeK6G9CrUCod szoRLXMs+Ozvt0rZAAzzYtZWg/e+C6m4ORwve1pAOVN4WniWdTw0a/cYT3++vpuqq4lG MChw== X-Gm-Message-State: AElRT7HGc95kogUumGB5lN6Gnz5n+5L/w8kMT/i8HLwB+bhWu9qlBBWH E2+bOrwwKN/AMQ/N+ZOgszH6FeivNS4hWv0IAxGDYqOW X-Received: by 10.107.82.1 with SMTP id g1mr35593245iob.203.1520564790137; Thu, 08 Mar 2018 19:06:30 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.135.221 with HTTP; Thu, 8 Mar 2018 19:06:29 -0800 (PST) In-Reply-To: References: <20180306013457.1955486-1-ast@kernel.org> From: Linus Torvalds Date: Thu, 8 Mar 2018 19:06:29 -0800 X-Google-Sender-Auth: 6pSNBgBSKY_jhVLJoUuC6ljtzlA Message-ID: Subject: Re: [PATCH net-next] modules: allow modprobe load regular elf binaries To: Kees Cook Cc: Andy Lutomirski , Alexei Starovoitov , Djalal Harouni , Al Viro , "David S. Miller" , Daniel Borkmann , Greg KH , "Luis R. Rodriguez" , Network Development , LKML , kernel-team , Linux API Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 8, 2018 at 5:44 PM, Kees Cook wrote: > > My concerns are mostly about crossing namespaces. If a container > triggers an autoload, the result runs in the init_ns. Heh. I saw that as an advantage. It's basically the same semantics as a normal module load does - in that the "kernel namespace" is init_ns. My own personal worry is actually different - we do check the signature of the file we're loading, but we're then passing it off to execve() not as the image we loaded, but as the file pointer. So the execve() will end up not using the actual buffer we checked the signature on, but instead just re-reading the file. Now, that has two issues: (a) it means that 'init_module' doesn't work, only 'finit_module'. Not a big deal, but I do think that we should fail the 'info->file == NULL' case explicitly (instead of failing when it does an execve() of /dev/null, which is what I think it does now - but that's just from the reading the patch, not from testing it). (b) somebody could maybe try to time it and modify the file after-the-fact of the signature check, and then we execute something else. Honestly, that "read twice" thing may be what scuttles this. Initially, I thought it was a non-issue, because anybody who controls the module subdirectory enough to rewrite files would be in a position to just execute the file itself directly instead. But it turns out that isn't needed. Some bad actor could just do "finit_module()" with a file that they just *copied* from the module directory. Yes, yes, they still need CAP_SYS_MODULE to even get that far, but it does worry me. So this does seem to turn "CAP_SYS_MODULE" into meaning "can run any executable as root in the init namespace". They don't have to have the module signing key that I thought would protect us, because they can do that "rewrite after signature check". So that does seem like a bad problem with the approach. So I don't like Andy's "let's make it a kernel module and then that kernel module can execve() a blob". THAT seems like just stupid indirection. But I do like Andy's "execve a blob" part, because it is the *blob* that has had its signature verified, not the file! Linus