Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp4485617rwl; Mon, 10 Apr 2023 11:47:51 -0700 (PDT) X-Google-Smtp-Source: AKy350Z7wTEqED+iG9EYQNt1RwRFLOBNVzJzMxPceasUEihIoHG7EfuaeYczCjYPlyFpv849jxQD X-Received: by 2002:a05:6402:d0a:b0:4ea:a9b0:a518 with SMTP id eb10-20020a0564020d0a00b004eaa9b0a518mr16912361edb.17.1681152471334; Mon, 10 Apr 2023 11:47:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681152471; cv=none; d=google.com; s=arc-20160816; b=PPht1xdFbmrUoj0kGCNqkXgSeJMVNnr0bD/xNQi/gvCh8euXqwpNJXTUlDhUrkxGpH oLe3Gk0XWj5RDOY4IeH3JKF/Wo6riedg6OPfyscif7qph/JL/EsF2naqyLIiRawXaJjG 7yZQOnpXUmci9ctjhwoNDA1qdPOx61tbT45rDFpAKE1luVAH75i+Au1BmxfVkap8sUf/ rELdeZAlF/ypvs4itfhWBmjRdcatL5wRPIt7GdasVeUDUg2QsCyuYR9qU2Vtc3fVjhLJ 16euv1lA0zlFqFINLDl62EkBlaziA+VGKViv0atwVzfq6B9IdvnDVa6fkBWG1fEuMexp TshA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=GKnimeWxeXW+AzdsBAQINXVDPCSt+E8ZResKe3zcG/I=; b=itqHFn0OT4jA8mHCjG+qM30yxie7cSdVYKR7I6JseoPToEV6+Fww6SfI7KBIgQV3a1 cgcmdIovyH2lEdfpdea6V7QhNIXfXxRR7murmy7OzEfA/w/wJq17GuOptzyonbSCM9Il pFxvHpLwIwUu1Z+TFi83hzmrY/eYtA0rdezcbcBcdsqjxrJHGL+1nWx/ngd7GYgUh6J0 2hVPnNRHgn5+AZHa71U3GEy6MVLqtbVNx/ou4vIByOGmnsrQAnTbFQryinpMYQel3YHn ZNLKJn22r26GYuf2TkoktUway9DpsvwGyLZArweKdznj1xLh9c3JeS4amqIBkWigDtT2 uU6w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=p3OClRvq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g12-20020aa7d1cc000000b00504941fa6adsi1053054edp.241.2023.04.10.11.47.26; Mon, 10 Apr 2023 11:47:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=p3OClRvq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229808AbjDJShN (ORCPT + 99 others); Mon, 10 Apr 2023 14:37:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45666 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229645AbjDJShL (ORCPT ); Mon, 10 Apr 2023 14:37:11 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F144511B; Mon, 10 Apr 2023 11:37:10 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 7147C61E7C; Mon, 10 Apr 2023 18:37:10 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5C206C433EF; Mon, 10 Apr 2023 18:37:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1681151829; bh=623dasWmscGyY+Q6atpJKWeyuHlDLhJJ8TIjaQYzSrU=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=p3OClRvqnLBy1hGAjb3FSqiTeoVDoPJGpup53Tn85z/FxfMpHxH6AuWQOiw5w2IiS FXQiw+gY+9HL3nuuN30LropRwfBWPOejmegpBKzvE+4jIc/CDxSHcDhl3y7AO2vrBp QbdUIKN/hnM9A1PiB6yS05gzQe2TtdQDVAyQLPOU= Date: Mon, 10 Apr 2023 20:37:06 +0200 From: Greg KH To: Topi Miettinen Cc: linux-modules , Kernel Hardening , "linux-hardening@vger.kernel.org" , "linux-kernel@vger.kernel.org" Subject: Re: Per-process flag set via prctl() to deny module loading? Message-ID: <2023041010-vacation-scribble-ba46@gregkh> References: <640c4327-0b40-f964-0b5b-c978683ac9ba@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <640c4327-0b40-f964-0b5b-c978683ac9ba@gmail.com> X-Spam-Status: No, score=-5.2 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,SPF_HELO_NONE, SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 10, 2023 at 01:06:00PM +0300, Topi Miettinen wrote: > I'd propose to add a per-process flag to irrevocably deny any loading of > kernel modules for the process and its children. The flag could be set (but > not unset) via prctl() and for unprivileged processes, only when > NoNewPrivileges is also set. This would be similar to CAP_SYS_MODULE, but > unlike capabilities, there would be no issues with namespaces since the flag > isn't namespaced. > > The implementation should be very simple. Patches are always welcome to be reviewed. But note, please watch out for processes that cause devices to be found, and then modules to be loaded that way, it's not going to be as simple as you might have imagined... thanks, greg k-h