Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp3911776rwl;
        Mon, 10 Apr 2023 03:12:01 -0700 (PDT)
X-Google-Smtp-Source: AKy350ZJi6Mu9cHsqe/Rbf0QStCSM/Qn3Nz0zr6IPs2nxXvi5GRoT3PKoV/49K8wxlcT+FBQfc40
X-Received: by 2002:a05:6a20:b213:b0:da:144:92bf with SMTP id eh19-20020a056a20b21300b000da014492bfmr9528675pzb.14.1681121520937;
        Mon, 10 Apr 2023 03:12:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1681121520; cv=none;
        d=google.com; s=arc-20160816;
        b=sET7S9OvBFzXh3oag6mmw7zgOIY8pueHC25JZLWD98B49fpsvdF6bL08Tbk5BdK0k9
         mL9s1v6M7Cw9+83XX1aFMJfOz1yl7zLhgRmDfsL/7mjBEBXZw/epNra7hy3rJVHDeZtW
         +FJL1NEyT78SGrnllZlcfomPU9fOzF1XCk6Qndxxuh7gHOPj44pVORTYdmuRfQXEfzho
         +Gw8yc/p5friKZqckRFu1AZ9DdJnW1K0wpZRO7kk2cqad3I7+VDx2mbmKVEbQeg0ZYbD
         ostZy8z465lZm4lKfQ9KHVZC6AvzLYMR7XbqRcsrO+8Bs5sL705LYAyWlXDg+4jKL2X7
         kI5Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:subject:from:to
         :content-language:user-agent:mime-version:date:message-id
         :dkim-signature;
        bh=ATMiUtX64qR0hwTrZDgb3RHiSTdBt+7AzkUE71TDEpA=;
        b=siaUUT28hnPJgBVFLTCdJjm5HZz2x5BSe6YXvYUdcbpEtpj9j8SC9n1JBLbDXQv9yG
         UKdzga+is0OMqNoGRAZHjjwLI+t23QUtrj0qmq5U8TWz+Wq09sDFQQ9BfaPcx8sqL2mo
         OcSDk7Laxkl8CKchaZ+XyTap7IX1Vlpf5Aiymfk73uEXh+7ThJW9qKNBd8+jqrMBLLgT
         NMvBlJFxoSW1ZxFWmn2DajDFgNC2Xa1U/I9uPTZLCmXx3Y5B+FR0aHPvxTKFP8ITeohL
         i1R9Y81ToA8JVVKIFYyNWyIFQyrm+D0R08fpZFtwjUNHvWO6asgHhVoifYJ1aUaCalO+
         Glyg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=gct+lbvY;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id a21-20020a63e855000000b00513162c223csi10486908pgk.470.2023.04.10.03.11.50;
        Mon, 10 Apr 2023 03:12:00 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=gct+lbvY;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229771AbjDJKGI (ORCPT <rfc822;aradford@gmail.com> + 99 others);
        Mon, 10 Apr 2023 06:06:08 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51654 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229741AbjDJKGG (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 10 Apr 2023 06:06:06 -0400
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2742249EB;
        Mon, 10 Apr 2023 03:06:04 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id z8so7575687lfb.12;
        Mon, 10 Apr 2023 03:06:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112; t=1681121162;
        h=content-transfer-encoding:subject:from:to:content-language
         :user-agent:mime-version:date:message-id:from:to:cc:subject:date
         :message-id:reply-to;
        bh=ATMiUtX64qR0hwTrZDgb3RHiSTdBt+7AzkUE71TDEpA=;
        b=gct+lbvYlrtdNbqog/h6bLfpEnPaE247rt+vXA19R+KcjQa2tfFmZW17wCi4DI9Ti1
         hf5KHwycpKXUFQWY4eUvBpNGZq/47owrFhn85GJ9S6WEvuSsOJBYMo1UUfExhdZzPj0U
         tvOZsbj2dKAnPc5e8c57rBnL4OcmZ1vcUf1DJWX7vPWA1Mk3ItkqvapId+/mnH0FXCoU
         XeFC43Ej3DdXAc178xiG7+75caZijBIu3eBZni+DJ8PT7plHTJEwbJJ3eyhM1fEMSkkR
         7hxoV1avDx5u2igYk860iu5jn0l2Wx2U3/rYawuYr3rP7Wkqhj/HU0J22gWTf+JN6Mek
         /aBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112; t=1681121162;
        h=content-transfer-encoding:subject:from:to:content-language
         :user-agent:mime-version:date:message-id:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=ATMiUtX64qR0hwTrZDgb3RHiSTdBt+7AzkUE71TDEpA=;
        b=2toNQxEzRkoGpKB0EI8Z2mtf2vpqSsdVNFdLpyGNRBdCBxmBGRT3ETUhKsF9+IBZoE
         6uGtt+iNQh0h3NxelgXKNKvyhWgQAoIhCNxlbDJaYN7JF5LZCR69rRrzSHMClBQ19Q0I
         JjIxxVGv7iJ9auKWENuYPykqC/AuSH22KGAF+cHt0B4iSL62K0iootElpXS1Qi9s5o/3
         kGKoEpPF94fkJnmUdEM14z1IZ6ItYmRN7DkxeBIHX9TzwAN9FpD4PX/E7HCcHDM0hquq
         9jzI1QojPMgOvmnDm7Qy37PvBVkjgGB7F8lwGBchE4U8jCZla6DFnf0CIPPbDeTjwgdB
         CEqw==
X-Gm-Message-State: AAQBX9fAiuyp9SBgAkPxEDcAgPiRk1OLJxmCO4aWWBt7+O2Rwb1UrbFq
        Pa+xxWGa2J9pAtn4GdZxjhFfELuztpU=
X-Received: by 2002:ac2:42c6:0:b0:4dd:cbf3:e981 with SMTP id n6-20020ac242c6000000b004ddcbf3e981mr2448219lfl.28.1681121162052;
        Mon, 10 Apr 2023 03:06:02 -0700 (PDT)
Received: from [192.168.1.13] (81-197-197-13.elisa-laajakaista.fi. [81.197.197.13])
        by smtp.gmail.com with ESMTPSA id a17-20020a056512021100b00498f67cbfa9sm2045804lfo.22.2023.04.10.03.06.01
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Mon, 10 Apr 2023 03:06:01 -0700 (PDT)
Message-ID: <640c4327-0b40-f964-0b5b-c978683ac9ba@gmail.com>
Date:   Mon, 10 Apr 2023 13:06:00 +0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.9.0
Content-Language: en-US
To:     linux-modules <linux-modules@vger.kernel.org>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>,
        "linux-hardening@vger.kernel.org" <linux-hardening@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
From:   Topi Miettinen <toiwoton@gmail.com>
Subject: Per-process flag set via prctl() to deny module loading?
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
        DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,
        SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no
        version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

I'd propose to add a per-process flag to irrevocably deny any loading of 
kernel modules for the process and its children. The flag could be set 
(but not unset) via prctl() and for unprivileged processes, only when 
NoNewPrivileges is also set. This would be similar to CAP_SYS_MODULE, 
but unlike capabilities, there would be no issues with namespaces since 
the flag isn't namespaced.

The implementation should be very simple.

Preferably the flag, when configured, would be set by systemd, Firejail 
and maybe also container managers. The expectation would be that the 
permission to load modules would be retained only by udev and where SUID 
needs to be allowed (NoNewPrivileges unset).

-Topi