Received: by 10.223.164.202 with SMTP id h10csp2218738wrb; Mon, 27 Nov 2017 13:43:32 -0800 (PST) X-Google-Smtp-Source: AGs4zMbe4TzzU23KkGDBuZMBdAbpXjXNir0OXgqmhgI+hUr1YS/XIIHRIKkJSxthYVy75nVy1KI/ X-Received: by 10.101.98.198 with SMTP id m6mr39720612pgv.410.1511819012609; Mon, 27 Nov 2017 13:43:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511819012; cv=none; d=google.com; s=arc-20160816; b=nZF5F1XrWXUcOxYmBetMRkWxIJDP5xmd4d18DDyjbi97sZbsIyf/gObCvUUApivGL5 6TXAI/xFwBTDx6ZYCDBNS0IkySv2rrAEli1+18v99ofcVL3mOiaUt2MM20AUI+KF9P0G EbtZCULBwQvQMgJZl/CBZ6uCWMlfK4YFooHBuvxUPKHacwID0m9aRK5nMJdZrdnWD+/O 5SfP+kOVDE6D3lWbVVYlwm9yeaBnVZjZ/KJ5ySLh7M6IHPFkbcjj3zrubq+bYRPLoer+ PscqtQaBL6INd3RB37vQimzlhrnkE0yYKqvYCEb2EYADt54+GoLnyaCdDoPwsTQ7HMuS tnZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=lsL+AWQmNtPzXscF/lUqnz5kzLHTo+/yF4J/VApsGFk=; b=cAJhD3DyzQo+wxYJWgW0Pkuef+wOzN1oRUREcoymMObLDiBjeqnMECqsxL5seKNkXs 7BgZlQKzlwFUj/DLNFcms9lbN/82o2+IkRgoKgCIDJznEC1TUgnGaWM5CEGhUE7AyYbH JIPPBE1FBdmFyNmmsB0UvHbWiD3kUvli/Jm+vAHBWvWgMPiSCtPPRmc94PubUljnmzZA 50nVRFVzMXS4RwEyRJKkZG7+E9GvM7yFAQ9qJP0jQdrUdYqUQG1Ladi1npHMUPQSNRuq yVK6ajnDRAGz2ht0JXJh/zLRw+FmSEdfwwewfabURbsaLvpbd9dcZp/K6bq8laMQFSNz hM5g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=qfPNBeAP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b8si23151852pgv.271.2017.11.27.13.43.20; Mon, 27 Nov 2017 13:43:32 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=qfPNBeAP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753169AbdK0Vle (ORCPT + 78 others); Mon, 27 Nov 2017 16:41:34 -0500 Received: from mail-qk0-f196.google.com ([209.85.220.196]:41001 "EHLO mail-qk0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752486AbdK0Vlc (ORCPT ); Mon, 27 Nov 2017 16:41:32 -0500 Received: by mail-qk0-f196.google.com with SMTP id f63so34445620qke.8; Mon, 27 Nov 2017 13:41:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=lsL+AWQmNtPzXscF/lUqnz5kzLHTo+/yF4J/VApsGFk=; b=qfPNBeAPEKT7UmffTHQfk8RQRDjudRWnYIvUUF6y0HB3tMe9m/okHKPEgTwENOCovh ik2o0kX+gsbNuYBsgcdjc5DaUAqhN4BWjN3vyQyutjD+ze22orZ42Ak59wUdH600enCu SVxHB+WMk+ySEZkFWCo33mFjmmLamQ3fLmQgBt1h6GR/I4piJs7Lmx0IkF7ykEKGwirG hO64nEqttZMAbl/Y11OJ3GcgUdTwT0CynaYXilgc3f4tSHTvpXMVqGjDamd7ukHOtm4u tSalYOEQEs3qcs8AWENmq/TViBY3KRYwdCuQ6f2fHTDPcrKhNojrs26V6LZcoKC+1een B1vg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=lsL+AWQmNtPzXscF/lUqnz5kzLHTo+/yF4J/VApsGFk=; b=OEFn74S3QJcHY8znbm/MeIu5HN9bXaB6C7f2/dU4WycENuaquWzyHjADeMuYlSjiCL glo31BwytpndZDVmgmNQJSlgXBgIf2bLalsaIOc9xhn5a+fJrc0LHR9RWqjHaWAr4Avu GCumH1sa0SZ9cux1RW0W2fWD5GmQJ78jNxywRsn5xtctvGBNzCPOqggzSM4VU9u3GAUH XrZXiTn1FoOWD7Z3Kg+4wUMagR1ke6IN9ya/CVndaDq9NXwWc6330eykTtFQ7bUaETl5 WAWRfTmu1vuO7J530iRi5EBv0walxxzC6sUwbqN7dBIoCLiGGU1L6xNwP8q6Xgku1dlA Mncw== X-Gm-Message-State: AJaThX51KLjblQmJLvn5JFmuiPoMFGdBSRefph9nO/+rGn3S/I/z1LfR XMZRwcm61S8Rq0OpRsbAfqejOVqDWaWBu9tE8qc= X-Received: by 10.55.214.133 with SMTP id p5mr59500026qkl.212.1511818892029; Mon, 27 Nov 2017 13:41:32 -0800 (PST) MIME-Version: 1.0 Received: by 10.140.31.132 with HTTP; Mon, 27 Nov 2017 13:41:31 -0800 (PST) In-Reply-To: References: <1511803118-2552-1-git-send-email-tixxdz@gmail.com> <1511803118-2552-6-git-send-email-tixxdz@gmail.com> From: Djalal Harouni Date: Mon, 27 Nov 2017 22:41:31 +0100 Message-ID: Subject: Re: [PATCH v5 next 5/5] net: modules: use request_module_cap() to load 'netdev-%s' modules To: Linus Torvalds Cc: Kees Cook , Andy Lutomirski , Andrew Morton , "Luis R. Rodriguez" , James Morris , Ben Hutchings , Solar Designer , Serge Hallyn , Jessica Yu , Rusty Russell , Linux Kernel Mailing List , LSM List , "kernel-hardening@lists.openwall.com" , Jonathan Corbet , Ingo Molnar , "David S. Miller" , Network Development , Peter Zijlstra Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Linus, On Mon, Nov 27, 2017 at 7:44 PM, Linus Torvalds wrote: > On Mon, Nov 27, 2017 at 9:18 AM, Djalal Harouni wrote: >> This uses the new request_module_cap() facility to directly propagate >> CAP_NET_ADMIN capability and the 'netdev' module prefix to the >> capability subsystem as it was suggested. > > This is the kind of complexity that I wonder if it's worth it at all. > > Nobody sane actually uses those stupid capability bits. Have you ever > actually seen it used in real life? Yes they are complicated even for developers, and normal users do not understand them, however yes every sandbox and container is exposing them to endusers directly, they are documented! so yes CAP_SYS_MODULE is exposed but it does not cover autoloading. However, we are trying hard to abstract some semantics that are easy to grasp, we are mutating capabilities and seccomp to have an abstracted "yes/no" options for our endusers. Now, if you are referring to kernel code, the networking subsystem is using them and I don't want to break any assumption here. There is still the request_module(), the request_module_cap() was suggested so networking code later won't have to do the checks on its own, and maybe it can be consistent in the long term. The phonet sockets even needs CAP_SYS_ADMIN... > > They were a mistake, and we should never have done them - another case > of security people who think that complexity == security, when in > reality nobody actually wants the complexity or is willing to set it > up and manage it. Alright, but I guess we are stuck, is there something better on how we can do this or describe this ? Please note in these patches, the mode is specifically described as: * allowed: for backward compatibility (I would have done without it) * privileged: which includes capabilities (backward compatibility too) or we can add what ever in the future * disabled: even for privileged. So I would have preferred if it is something like "yes/no" but... However in userspace we will try hard to hide this complexity and the capability bits. Now I can see that the code comments and doc refer to privileged with capabilities a lot, where we can maybe update that doc and code to less state that privileged means capabilities ? Suggestions ? Thanks! > Linus -- tixxdz From 1585245918985241515@xxx Mon Nov 27 18:45:18 +0000 2017 X-GM-THRID: 1585240629942062556 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread