Received: by 10.223.164.202 with SMTP id h10csp3641955wrb; Tue, 28 Nov 2017 14:53:01 -0800 (PST) X-Google-Smtp-Source: AGs4zMZ2HsBKFo93R/SmhVdygjaOcR5fIaIJiE3dBL2JDOH5/3e2Vl0rCSB3z0msf4CNpLXBHX5m X-Received: by 10.98.163.200 with SMTP id q69mr745407pfl.21.1511909581122; Tue, 28 Nov 2017 14:53:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511909581; cv=none; d=google.com; s=arc-20160816; b=GgHq4vWWx6hucmeYL6VsabOWKWqfwFUelopwe+LPEq88CcKibWuvkJaoduNyyIfcVJ UNhyuzfhlqZU4E1is85tS3CZ0KWeVRZ3AWU7aipODFENifw0IJxfd/vlniXucRnC1gsw zyGIDGUyqG3BTR/BrOz1vOCsYNLIZR9Zoj8GsSfmLITSh0uW7kOqdumz18ymjRMk4Xuu DxBakPprrfcUblp3KTwVGgjwhHqtKXCmyfU6aPTONVaDbVYRMRXSoGbGKwPIV4Xpa5PD mCC8kEVIz8ViyRaz/Nsplehzkw1orNDqa9HFO7gEtU3b1wieGVRTxhMw3i9Al1+HtKlw vt6A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=rpOW/2MX3KPN3CLjLSrM9a3O1kb+SEWZes5vldLirCo=; b=qYgZ4e/lUWdQOq2PNFc9fmZWB2huG3TAvwJRXGId+FeRgksLL/ePPCgLJBIN2FzdwS AWP7D63yMFQ+WqTMZS49UpskRT2aUgJ55bVO5wP33byhZHzOg+EnxfTdK27vN3KMHaJ/ bWZzUcgoKCcfhly5aTcpw9I4vZ3IIUkMvEcHp6FGcKTiKk0NudnH2+9u9FPIY1PEIcbe 6WpCO3SYYE9PDs5m79mDxLtWbSWvcyFzVKv+griIJ2R4ChF1E6aCqVtnyySazluFmou3 orPiX/uUVFc7fmn3RQ86LT5AR0rUc3dtnyJVXD/GxfZMeEysioFthmYJ3GS6/0VG4zwq PYPQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=G0ERRSm4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x62si185469pgb.541.2017.11.28.14.52.50; Tue, 28 Nov 2017 14:53:01 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=G0ERRSm4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753132AbdK1WwM (ORCPT + 70 others); Tue, 28 Nov 2017 17:52:12 -0500 Received: from mail-qk0-f195.google.com ([209.85.220.195]:33627 "EHLO mail-qk0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752261AbdK1WwK (ORCPT ); Tue, 28 Nov 2017 17:52:10 -0500 Received: by mail-qk0-f195.google.com with SMTP id 63so2096743qke.0; Tue, 28 Nov 2017 14:52:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=rpOW/2MX3KPN3CLjLSrM9a3O1kb+SEWZes5vldLirCo=; b=G0ERRSm4o5fG/341hklhdvlCaht0QXLkBpo9xUprVq12DKgZujUTZaVCjlEkC6r9yN LEenJ6ZmYNF7dTGHZFtETG2yvTK6TU+odAt7fkhsHuGI5kEYIP48uFU7vOlPeNl3YxM/ ZvDzI0Zm6FmFtac0Ti+Ng4/+qXZrKUcu5G7y13GyCvf9YwPkfSXBugy6cc/F61z1xkan GhhelKCTXk0i4C5avKiZXVkVA9520hLdbZqdy00owWtMB1F7134O2rUj6SpRBNfxXVw/ okrDbtk3b0DiEZjmMZ+gAhAxfh3qlf6qC8B/BraZtrENVf6slerv6y5Y7Ee5IM7Cjnp4 HiJQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=rpOW/2MX3KPN3CLjLSrM9a3O1kb+SEWZes5vldLirCo=; b=BcNqnWrErfSpZIQUUO2ONYnvpuB0bcxj0SoCObDb7cutA1fjYP2jC1ziyCE+fHagt5 PomE4AMMzPH9RRG3GxtSjyX23xTTjArIetLRpsCLvJFW5DgF0m8HfXZNW0NFYkaLaG+N PqlhXFpmhsFYyFECT5mzf3Ru4/K4aXIjChv78W8OvnwSoe4KHxD4mpQNrBGNZwuqnI0X gnMFzARxxwCnLMdd2vUugnWSwrWhPCDCRNJeUcEnxzfoveF/SS/YzYxvZIPGjzOp2VaC zAA00feR3I9ZIe7pcBApx1iTKEhTAyH3iKqueBloB/qMsoGWARgOuAaBEJch5tGF6lfz Hj4Q== X-Gm-Message-State: AJaThX4X/Oiufeb2mapz1fkwgiZ8vwqnhhM4KW/oaLlakouq77tso0cF Fsew00EwMr1lpeDaLWba6irmswhvcAmrJT/Q5gY= X-Received: by 10.55.40.76 with SMTP id o73mr1306237qkh.301.1511909529619; Tue, 28 Nov 2017 14:52:09 -0800 (PST) MIME-Version: 1.0 Received: by 10.140.31.132 with HTTP; Tue, 28 Nov 2017 14:52:08 -0800 (PST) In-Reply-To: <20171128221856.GS729@wotan.suse.de> References: <1511803118-2552-1-git-send-email-tixxdz@gmail.com> <1511803118-2552-2-git-send-email-tixxdz@gmail.com> <20171128191405.GO729@wotan.suse.de> <20171128211659.GP729@wotan.suse.de> <20171128221856.GS729@wotan.suse.de> From: Djalal Harouni Date: Tue, 28 Nov 2017 23:52:08 +0100 Message-ID: Subject: Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap() To: "Luis R. Rodriguez" Cc: Kees Cook , Andy Lutomirski , Andrew Morton , James Morris , Ben Hutchings , Solar Designer , Serge Hallyn , Jessica Yu , Rusty Russell , LKML , linux-security-module , kernel-hardening@lists.openwall.com, Jonathan Corbet , Ingo Molnar , "David S. Miller" , Network Development , Peter Zijlstra , Linus Torvalds Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 28, 2017 at 11:18 PM, Luis R. Rodriguez wrote: > On Tue, Nov 28, 2017 at 10:33:27PM +0100, Djalal Harouni wrote: >> On Tue, Nov 28, 2017 at 10:16 PM, Luis R. Rodriguez wrote: >> > On Tue, Nov 28, 2017 at 12:11:34PM -0800, Kees Cook wrote: >> >> On Tue, Nov 28, 2017 at 11:14 AM, Luis R. Rodriguez wrote: >> >> > kmod is just a helper to poke userpsace to load a module, that's it. >> >> > >> >> > The old init_module() and newer finit_module() do the real handy work or >> >> > module loading, and both currently only use may_init_module(): >> >> > >> >> > static int may_init_module(void) >> >> > { >> >> > if (!capable(CAP_SYS_MODULE) || modules_disabled) >> >> > return -EPERM; >> >> > >> >> > return 0; >> >> > } >> >> > >> >> > This begs the question: >> >> > >> >> > o If userspace just tries to just use raw finit_module() do we want similar >> >> > checks? >> >> > >> >> > Otherwise, correct me if I'm wrong this all seems pointless. >> >> >> >> Hm? That's direct-loading, not auto-loading. This series is only about >> >> auto-loading. >> > >> > And *all* auto-loading uses aliases? What's the difference between auto-loading >> > and direct-loading? >> >> Not all auto-loading uses aliases, auto-loading is when kernel code >> calls request_module() to loads the feature that was not present, > > It seems the actual interest here is system call implicated request_module() > calls? Because there are uses of request_module() which may be module hacks, > and not implicated via system calls. Indeed. >> and direct-loading in this thread is the direct syscalls like >> finit_module(). > > OK. > >> >> We already have a global sysctl for blocking direct-loading (modules_disabled). >> > >> > My point was that even if you have a CAP_NET_ADMIN check on request_module(), >> > finit_module() will not check for it, so a crafty userspace could still try >> > to just finit_module() directly, and completely then bypass the CAP_NET_ADMIN >> > check. >> >> The finit_module() uses CAP_SYS_MODULE which should allow all modules >> and in this context it should be more privileged than CAP_NET_ADMIN >> which is only for "netdev-%s" (to not load arbitrary modules with it). >> >> finit_module() coming from request_module() always has the >> CAP_NET_ADMIN, hence the check is done before. > > But since CAP_SYS_MODULE is more restrictive, what's the point in checking > for CAP_NET_ADMIN? For backward compatibility with 'netdev' modules since it is for those. >> > So unless I'm missing something, I see no point in adding extra checks for >> > request_module() but nothing for the respective load_module(). >> >> I see, request_module() is called from kernel context which runs in >> init namespace will full capabilities, the spawned userspace modprobe >> will get CAP_SYS_MODULE and all other caps, then after comes modprobe >> and load_module(). > > Right, so defining the gains of adding this extra check is not very clear > yet. It would seem a benefit exists, what is it? it will able to filter if the request_module() should continue loading the module or deny it which prevents spawning the *privileged* usermode helper. This is all based on are we allowed to load new features or not, or IOW I don't want to allow new features or modules autoloading from now and on, as stated in the cover letter for various benefit including security, reduce the amount of kernel code running, but also do not allow new features for anyone like tunneling, etc. >> Btw as suggested by Linus I will update with request_module_cap() and > I can >> offer my help maintaining these bits too. > > Can you start by extending lib/test_module.c and > tools/testing/selftests/kmod/kmod.sh with a proof of concept of the gains here, > as well as ensuring things work as expected ? Alright Luis, thanks for the hint, yes I will make sure to cover these. For gains, kees already answered in the other email, and please check the DCCP exploit and others linked in the cover letter. Thank you! > Luis -- tixxdz From 1585351936781035147@xxx Tue Nov 28 22:50:24 +0000 2017 X-GM-THRID: 1585240691370988488 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread