Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp3456145pxb; Sun, 24 Oct 2021 02:40:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzZLMm+lC5IRDbxdRQbrqTJJW5D6R2LmTj/hZTkKH+c+GVZH2o6EFNO09lrkyut6m/WrXOi X-Received: by 2002:a05:6402:4256:: with SMTP id g22mr16280096edb.399.1635068459170; Sun, 24 Oct 2021 02:40:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635068459; cv=none; d=google.com; s=arc-20160816; b=OgePpnd/iKYl7qRDoMBxfp288FWdA7HOcTV3BmWcNYlZLRBMqpk66KQWyo20yvXNoW 3BhJyoEYwHjvqO9z0TQSrfw+ApyU9GZSGwNEDl+WtrYWLKhFnR/Wraz+7EoCXTaQ8LeL swEsSRpB933Sw3B0a7RmaPBdtiV5k774HcHz2B+zmVh7V0dkWzkj+gI7ZUSLlhvGeCdR LsWYzP70EC9/ToO+ZVx99DZ8APiXz83e1JI+Ia2efp3ZuRI1ifodamaODRPh6TJaUMba 5UqzS67tPOFFYQtbBtI2fDgCEPvQ2fBwAbCE5CiLfCjOpcK5AODbqohpUOzsSNCuV0Fo BhpA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:jabber-id:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:dkim-signature:date; bh=l9bq+K2lvwQhAaUYt1kh5Jb24Ioz1ZBrW0/w8in9UBM=; b=UamHbc4mOgJLYjXj4HCzRBD9Wyp0LhVmKZTU8WT0kc1Jq89AOE3UU0ARdCzOFPDYKE L9XUUYNNjrQjuHFl7CpJzh4cM/0VCGdYOhlesr4FsH83By2COnsK4I/rcqKGsvIotb2T fm4L6rXyvGi0+qah7n+q5w+Vp813c5J00QJtueFt3n5BieUGpfpbed/oq/bYKaBhIak2 1i7qSDRnyaHSjv7zBUO9sDyR/RLWMJtVs7tspt16ZehyBM2iALld27c0syTruyTasu3u wKIn1teHBCx9UdHoN/yP3IR2XrCFbYOir4HZYTWpJQWFS9jTEC5PAPc96X8hgaYVccSD IRXg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@t-8ch.de header.s=mail header.b=EDbfTU8Q; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l17si25201571ejo.257.2021.10.24.02.40.35; Sun, 24 Oct 2021 02:40:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@t-8ch.de header.s=mail header.b=EDbfTU8Q; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230492AbhJXJkp (ORCPT + 99 others); Sun, 24 Oct 2021 05:40:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52016 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229463AbhJXJko (ORCPT ); Sun, 24 Oct 2021 05:40:44 -0400 Received: from todd.t-8ch.de (todd.t-8ch.de [IPv6:2a01:4f8:c010:41de::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 07E53C061764; Sun, 24 Oct 2021 02:38:23 -0700 (PDT) Date: Sun, 24 Oct 2021 11:38:19 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=t-8ch.de; s=mail; t=1635068301; bh=jjiMz4s+JGUKKGZyYM9FJJ4O/T2nnh2DazSM6/l44Aw=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=EDbfTU8QzWVk8K4ZJNHDRU3HlixRoKfsAxgakH+mhIM40hZ3fcQIKaujVuB06c08H lQaxuWqEwXgaW3HM6bwz5ihNaxjvnHMkrwDUHGb1Nxam3jYY3BHFNljt5iQOe58Jsc JAlckLcSmwPObtLVp9hyMqtoJCqxh5QleMkMazoU= From: Thomas =?utf-8?Q?Wei=C3=9Fschuh?= To: Andy Lutomirski Cc: Christian Brauner , Linux API , Linux Kernel Mailing List , Luis Chamberlain , Jessica Yu Subject: Re: [RFC] Expose request_module via syscall Message-ID: <97e88a06-4dfc-485c-b562-bed2a8e4b1b8@t-8ch.de> References: <705fde50-37a6-49ed-b9c2-c9107cd88189@t-8ch.de> <20210916092719.v4pkhhugdiq7ytcp@wittgenstein> <2ebf1a9d-77d5-472b-a99a-b141654725da@www.fastmail.com> <6eff0e8a-4965-437d-9273-1d9d73892e1a@t-8ch.de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <6eff0e8a-4965-437d-9273-1d9d73892e1a@t-8ch.de> Jabber-ID: thomas@t-8ch.de X-Accept: text/plain, text/html;q=0.2, text/*;q=0.1 X-Accept-Language: en-us, en;q=0.8, de-de;q=0.7, de;q=0.6 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2021-09-19 09:56+0200, Thomas Weißschuh wrote: > On 2021-09-18T11:47-0700, Andy Lutomirski wrote: > > But I admit I’m a bit confused. What exactly is the container doing that causes the container’s copy of modprobe to be called? > > The container is running an instance of the docker daemon in swarm mode. > That needs the "ip_vs" module (amongst others) and explicitly tries to load it > via modprobe. If somebody stumbles upon this specific issue: The "ip_vs" module will be autoloaded in future kernel versions with https://lore.kernel.org/lkml/20211021130255.4177-1-linux@weissschuh.net/ applied. > > > If so the seccomp notifier can be used to intercept this system call for > > > the container and verify the module against an allowlist similar to how > > > we currently handle mount. > > > > > > Christian