Received: by 10.223.164.202 with SMTP id h10csp3579707wrb;
        Tue, 28 Nov 2017 13:43:03 -0800 (PST)
X-Google-Smtp-Source: AGs4zMbaJ5U0BTn+MglSiyYhKjriVOVnpkvMIgcrBJmoECNRRDVMeTSo3px4kP0jTlHwUT0bKQwq
X-Received: by 10.84.254.2 with SMTP id b2mr535154plm.407.1511905383015;
        Tue, 28 Nov 2017 13:43:03 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1511905382; cv=none;
        d=google.com; s=arc-20160816;
        b=F3q1UKmOGMA3OAeQdNdf3yS5IPI9WJvDAw22AdGrWKZKYbUxjxSCgZF+Oqa/57zpJh
         YMK81jtUChNierp5Dx3eyLszDffS07123qzxcPva3ExOWo3NyvWBtCowlTjRyvDJdFTK
         AlWB9z/FtNO7vZqFVx917hc2cJr9lKIV/DSozWUL4Zrf0yGh0nHoQrxfQ/27BJ9+9ZfW
         5TGHSJ+vOiACKqAg048x2a+ZquWNgNO3KEuplB3hpmgKi+bzU3TjYmT3GuEUn0tEJ8N3
         9e/0v2gqXHovOfCo/CKgeF4gdsSWg3SiXIs2R4vjdR0nFt/cFcXRnwvISJSNxMdgkfnp
         tr5Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=0IbnwL4KbJiCYUCwUDH0/1w4wafGhUKktJBmTaUJcRw=;
        b=AesDqAryml+/62fIPFnBO8syZ2/NW/R7Q2rwNWJ2y1tkZHbf1pAhom189dZELg6kBa
         UZSTngiSx0O8R4+xF0sesduNPj8e+cHGfLtpwGkLCl3cxXB96rU/TJ8jsqwv4kAONUUQ
         6xN+KxF9N8S2flYB9FOhTNCg1PquZslXMrU/1auPaDGeoNzBrpy9Ffh1w6am8hFGVwGR
         BbiH17EvGKigVakvd9pNZH59/7R2lB0+DrsRH7EH9IbTOF8GLaVN+n7OEdXDYOwQUyjx
         O9H9aDi/YtNC6wTmAQ3fSJ3//FJk5zbf2mgd/AHQa2ZG9gLP9mi5VOQNY2MOj759dX1S
         fzDA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=NkowFE2j;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id z23si101005pgc.428.2017.11.28.13.42.52;
        Tue, 28 Nov 2017 13:43:02 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=NkowFE2j;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752694AbdK1Vdb (ORCPT <rfc822;charleyewang@gmail.com>
        + 70 others); Tue, 28 Nov 2017 16:33:31 -0500
Received: from mail-qt0-f195.google.com ([209.85.216.195]:43168 "EHLO
        mail-qt0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752600AbdK1Vd2 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 28 Nov 2017 16:33:28 -0500
Received: by mail-qt0-f195.google.com with SMTP id w10so1785118qtb.10;
        Tue, 28 Nov 2017 13:33:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=0IbnwL4KbJiCYUCwUDH0/1w4wafGhUKktJBmTaUJcRw=;
        b=NkowFE2jnHeYNkEUsoG7TzczgbcWj8RDZdEIw9URTzVWOsFBjHZol7nf6A4bpAbRiy
         xqC/dmgunEHLrgqaCefJ2yRhH/VO3Q1WDhtiPDSPWTkdoMSIOL22QTy2Eg9VPSh+2ZSz
         WVzunHWC63y8WQz0TZZc4Lnuq0NXI7Gu5oau0Kqo4zzDYgbF61hXFCJ6YGslo8rfPDkW
         eW7zesVw0qBCtKjuyUD3AjX9XhrHOJx4Ic9xuJULk3l9nzaVkcte7GzsOotAUdU1KhlI
         bdtzbGIzABECS7kZkak4ev//WG4bfxohGjw80uvXmpcOkxE8QSwR7t1hWyxJ/xyUnl1f
         6jGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=0IbnwL4KbJiCYUCwUDH0/1w4wafGhUKktJBmTaUJcRw=;
        b=fA2QKqGyPKGDfsJusOKNGpyTkhc+Mh9ZiAY8FhkfR7Zzgs1wqntnyhDTqaERQA5K9Z
         4q5L2Ex/t4At3OZVRpfH472jHrgo+ybKaHLzsmv2CMwetWDIZpk0sFh3ZckkhblljUoF
         Pl5VoTMZ3R8nrlhcVeS+PfaSvP8EyaObl39tAfSvQlJeu6KmYT33xTAkEYAyFeRnXxHk
         tNV7WrFqSH/puv8Gd3rr18T6jVB03WZ8ELjGrD6UESh9HC9cOlAE6ILsdROFyo8Oy3WE
         ftcPyZgvG0Vwz40YRZ9Z+xXfXHMoNdOsOQ1C0jdR51nEbGUScnF3gjRCOc2iUHvdVN0H
         lI9Q==
X-Gm-Message-State: AJaThX49WzBOpktTIsb1hs8pylnAZrDUgDeDpLVsdwpMBGHZqpQTXaZ6
        TRswphJDkvl1EFiOb0HQqU1iY/ekcI1yZs27iHw=
X-Received: by 10.200.47.230 with SMTP id m35mr1011651qta.220.1511904807759;
 Tue, 28 Nov 2017 13:33:27 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.31.132 with HTTP; Tue, 28 Nov 2017 13:33:27 -0800 (PST)
In-Reply-To: <20171128211659.GP729@wotan.suse.de>
References: <1511803118-2552-1-git-send-email-tixxdz@gmail.com>
 <1511803118-2552-2-git-send-email-tixxdz@gmail.com> <20171128191405.GO729@wotan.suse.de>
 <CAGXu5jKgHWNE4NH_xqcM084-BNBPy+HmEVPbTA+w_=K3S6gC=w@mail.gmail.com> <20171128211659.GP729@wotan.suse.de>
From:   Djalal Harouni <tixxdz@gmail.com>
Date:   Tue, 28 Nov 2017 22:33:27 +0100
Message-ID: <CAEiveUf3Zdw=+MPTHRSRsNq3o9M0XOgnXBVszdsGAPvhyS5wLw@mail.gmail.com>
Subject: Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()
To:     "Luis R. Rodriguez" <mcgrof@kernel.org>
Cc:     Kees Cook <keescook@chromium.org>,
        Andy Lutomirski <luto@kernel.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        James Morris <james.l.morris@oracle.com>,
        Ben Hutchings <ben.hutchings@codethink.co.uk>,
        Solar Designer <solar@openwall.com>,
        Serge Hallyn <serge@hallyn.com>, Jessica Yu <jeyu@kernel.org>,
        Rusty Russell <rusty@rustcorp.com.au>,
        LKML <linux-kernel@vger.kernel.org>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        kernel-hardening@lists.openwall.com,
        Jonathan Corbet <corbet@lwn.net>,
        Ingo Molnar <mingo@kernel.org>,
        "David S. Miller" <davem@davemloft.net>,
        Network Development <netdev@vger.kernel.org>,
        Peter Zijlstra <peterz@infradead.org>,
        Linus Torvalds <torvalds@linux-foundation.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Nov 28, 2017 at 10:16 PM, Luis R. Rodriguez <mcgrof@kernel.org> wrote:
> On Tue, Nov 28, 2017 at 12:11:34PM -0800, Kees Cook wrote:
>> On Tue, Nov 28, 2017 at 11:14 AM, Luis R. Rodriguez <mcgrof@kernel.org> wrote:
>> > kmod is just a helper to poke userpsace to load a module, that's it.
>> >
>> > The old init_module() and newer finit_module() do the real handy work or
>> > module loading, and both currently only use may_init_module():
>> >
>> > static int may_init_module(void)
>> > {
>> >         if (!capable(CAP_SYS_MODULE) || modules_disabled)
>> >                 return -EPERM;
>> >
>> >         return 0;
>> > }
>> >
>> > This begs the question:
>> >
>> >   o If userspace just tries to just use raw finit_module() do we want similar
>> >     checks?
>> >
>> > Otherwise, correct me if I'm wrong this all seems pointless.
>>
>> Hm? That's direct-loading, not auto-loading. This series is only about
>> auto-loading.
>
> And *all* auto-loading uses aliases? What's the difference between auto-loading
> and direct-loading?

Not all auto-loading uses aliases, auto-loading is when kernel code
calls request_module() to loads the feature that was not present, and
direct-loading in this thread is the direct syscalls like
finit_module().

>> We already have a global sysctl for blocking direct-loading (modules_disabled).
>
> My point was that even if you have a CAP_NET_ADMIN check on request_module(),
> finit_module() will not check for it, so a crafty userspace could still try
> to just finit_module() directly, and completely then bypass the CAP_NET_ADMIN
> check.

The finit_module() uses CAP_SYS_MODULE which should allow all modules
and in this context it should be more privileged than CAP_NET_ADMIN
which is only for "netdev-%s" (to not load arbitrary modules with it).

finit_module() coming from request_module() always has the
CAP_NET_ADMIN, hence the check is done before.

> So unless I'm missing something, I see no point in adding extra checks for
> request_module() but nothing for the respective load_module().

I see, request_module() is called from kernel context which runs in
init namespace will full capabilities, the spawned userspace modprobe
will get CAP_SYS_MODULE and all other caps, then after comes modprobe
and load_module().

Btw as suggested by Linus I will update with request_module_cap() and
I can offer my help maintaining these bits too.


>
>   Luis



-- 
tixxdz

From 1585347660384968964@xxx Tue Nov 28 21:42:26 +0000 2017
X-GM-THRID: 1585240691370988488
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread