Received: by 10.223.164.202 with SMTP id h10csp1930360wrb; Mon, 27 Nov 2017 09:21:13 -0800 (PST) X-Google-Smtp-Source: AGs4zMaSWyHyKX+trfzLlnXw2/snJaB6IF+K5U8u1eI1QGDbzI6O1HuU92lgJAdMlwFyFD9lxWBd X-Received: by 10.99.124.23 with SMTP id x23mr37537941pgc.189.1511803273857; Mon, 27 Nov 2017 09:21:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511803273; cv=none; d=google.com; s=arc-20160816; b=raVYDeyDkdC1Hjl09xw8DjK0fGqcSitKLQjc95Kd81VGhGxLjFmV+04Wl/5JX4KE7P FyzjoVYju2CYr1HZbwFUMt719NMYRi4iRPWaChSPbUfaz5/EawsZZuAqM5osCBkYdBY8 WVgZ0Tx0fgiXxhntuQ+uPlVsSEqqf5xzz2azxb/aBzEQiggIiCtShOeNfFWcoIuwBxk+ l9S+cYpVrMbDJtRAnTCvbL4Y6h3gDmd3mcgpy4wELS32NbPOJ0yQj2EdQO9oSBpn8S/A TEwMHkF/K7rpz26cdrQs9nab84Gpb+GrAAkLYPA4Zw6kcsZdgp+UZ2941ONQoKSnLnQG BsNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=XSL+L5EPWRMMfUP8YuGz7oFWd3tU0M0yPScTD8vqSH4=; b=JNgslYTJin0opebyYvLDO3r9DXFdK8hovdOxIzhd4EcbeHDvYEupLdVWj0D8pZaK5Q E2A28cpQnBBpTJQbcKdFFR2FvPIgyauTBo9MYL59B7XCD6ZzQzoLKpr6qlq49xnv+zhx 9QtDcjT8fT7Wf+nwTypb8HfdtJ5NR12AvGJYRa6jRwUV/7TbkSiDHOFNTp0gOuXTrpZY ROnj9inT+9ZJhsXIZxg/p0oSeOdOwC9HLHsKzVk2JiCv6/YfFiPPV1XBiakio+MOEQ7r mUfiZm5cuwM6oRusnQn0rs16e+puyF43wZ0dtIZWYDVaOZdjqOiSCQVEqcRjjQ572yMQ b7Qg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=AXw9X9I/; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 1si23632994plj.91.2017.11.27.09.21.02; Mon, 27 Nov 2017 09:21:13 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=AXw9X9I/; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753878AbdK0RTi (ORCPT + 78 others); Mon, 27 Nov 2017 12:19:38 -0500 Received: from mail-wm0-f65.google.com ([74.125.82.65]:45560 "EHLO mail-wm0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932263AbdK0RTW (ORCPT ); Mon, 27 Nov 2017 12:19:22 -0500 Received: by mail-wm0-f65.google.com with SMTP id 9so35661517wme.4; Mon, 27 Nov 2017 09:19:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=XSL+L5EPWRMMfUP8YuGz7oFWd3tU0M0yPScTD8vqSH4=; b=AXw9X9I/6ShQI6uk49qKA8CVkFcEUntqGOv/p4ecIIxyCE6lk5PhIvsGtBGY6n8ld2 6jvwfR4a+W8xbNgsujQOwKQaRqjDtPjRmRBVVXRoy2lwBJjeAjcgVoWEqmv1r5e7KBWC 0OmiszJwB+dPvrsFTeu+ltDZKOTpzrJT8Eq7QNsNCQ+loyzi9x4yhJKxw+SbVoKYL04E P+yMI0NL14Eudh9Ve7w7k4vZ235lp06+/0FjriWcD5U/S3WbWnsbhpSiRSgqn73he+lx ig5mhXNkuWREBfeD4Zc4vJi3/Nu6OslA4wDvZ5zmGFT8KhqsD91kj8KlHlop12jmpIgw +j/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=XSL+L5EPWRMMfUP8YuGz7oFWd3tU0M0yPScTD8vqSH4=; b=eqigeM+Ct5EFVvHct38o5fer0YmHmf+uTW19sdcqtyT+dBIhswRxKtqLATW8A647M1 fm42dolpAxF/1HeGK9cfK0Oo7N4RJHLSSQqOKkMA28yvE7RCQVy/jzoaEJ/+yfrWzw0t h5vY9LVGObK+q8hI8ldTTNtAFsBXGK6K9gB0hJN9AUoa+vIdm6bym/s8xzPIMaPiDIAr 9kbN9pFNqULBrbQf8IXZiKTEPJMlwieP2TfVffbYAy4UhlQ4ilD4dZiCLndOTj/FY+e8 qiwpzbb7plYVYTs/FMgXPfAF0BrCrzE85VyhSQ33n+03k9YtbECuO3H78PXsX5Wqx2EM s6bw== X-Gm-Message-State: AJaThX7omn91svSQSJPjWFjdKoZbq6z8WXM6UDkTnCe/IpUinHWg6GZ7 awvmx/e0KcJpWkionVmD/JU= X-Received: by 10.80.174.143 with SMTP id e15mr55154850edd.10.1511803160689; Mon, 27 Nov 2017 09:19:20 -0800 (PST) Received: from localhost.localdomain (ip-109-45-1-111.web.vodafone.de. [109.45.1.111]) by smtp.gmail.com with ESMTPSA id z56sm19356496edb.72.2017.11.27.09.19.18 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 27 Nov 2017 09:19:19 -0800 (PST) From: Djalal Harouni To: Kees Cook , Andy Lutomirski , Andrew Morton , "Luis R. Rodriguez" , James Morris , Ben Hutchings , Solar Designer , Serge Hallyn , Jessica Yu , Rusty Russell , linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, kernel-hardening@lists.openwall.com Cc: Jonathan Corbet , Ingo Molnar , "David S. Miller" , netdev@vger.kernel.org, Peter Zijlstra , Linus Torvalds , Djalal Harouni Subject: [PATCH v5 next 5/5] net: modules: use request_module_cap() to load 'netdev-%s' modules Date: Mon, 27 Nov 2017 18:18:38 +0100 Message-Id: <1511803118-2552-6-git-send-email-tixxdz@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1511803118-2552-1-git-send-email-tixxdz@gmail.com> References: <1511803118-2552-1-git-send-email-tixxdz@gmail.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This uses the new request_module_cap() facility to directly propagate CAP_NET_ADMIN capability and the 'netdev' module prefix to the capability subsystem as it was suggested. We do not remove the explicit capable(CAP_NET_ADMIN) check here, but we may remove it in future versions since it is also performed by the capability subsystem. This allows to have a better interface where other subsystems will just use this call and let the capability subsystem handles the permission checks, if the modules should be loaded or not. This is also an infrastructure fix since historically Linux always allowed to auto-load modules without privileges, and later the net code started to check capabilities and prefixes, adapted the CAP_NET_ADMIN check with the 'netdev' prefix to prevent abusing the capability by loading non-netdev modules. However from a bigger picture we want to continue to support automatic module loading as non privileged but also implement easy policy solutions like: User=djalal DenyNewFeatures=no Which will translate to allow the interactive user djalal to load extra Linux features. Others, volatile accounts or guests can be easily blocked from doing so. We have introduced in previous patches the necessary infrastructure and now with this change we start to use the new request_module_cap() function to explicitly tell the capability subsystem that we want to auto-load modules with CAP_NET_ADMIN if they are prefixed. This is also based on suggestions from Rusty Russel and Kees Cook [1] [1] https://lkml.org/lkml/2017/4/26/735 Cc: Ben Hutchings Cc: James Morris Cc: Serge Hallyn Cc: Solar Designer Cc: Andy Lutomirski Suggested-by: Rusty Russell Suggested-by: Kees Cook Signed-off-by: Djalal Harouni --- net/core/dev_ioctl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c index 7e690d0..fdd8560 100644 --- a/net/core/dev_ioctl.c +++ b/net/core/dev_ioctl.c @@ -382,8 +382,10 @@ void dev_load(struct net *net, const char *name) rcu_read_unlock(); no_module = !dev; + /* "netdev-%s" modules are allowed if CAP_NET_ADMIN is set */ if (no_module && capable(CAP_NET_ADMIN)) - no_module = request_module("netdev-%s", name); + no_module = request_module_cap(CAP_NET_ADMIN, "netdev", + "%s", name); if (no_module && capable(CAP_SYS_MODULE)) request_module("%s", name); } -- 2.7.4 From 1586004565626211756@xxx Wed Dec 06 03:43:39 +0000 2017 X-GM-THRID: 1586004565626211756 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread