Received: by 10.223.164.202 with SMTP id h10csp3501450wrb; Tue, 28 Nov 2017 12:20:50 -0800 (PST) X-Google-Smtp-Source: AGs4zMYPSGzvtP0Y8G13t3qDNvrKvq11IZ5YCGAioO07S9HTb/a31kIuFKV3QcdkStshOleN3Qr/ X-Received: by 10.159.231.20 with SMTP id w20mr389098plq.398.1511900450581; Tue, 28 Nov 2017 12:20:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511900450; cv=none; d=google.com; s=arc-20160816; b=OLpv490qSMxML52QWMxAFgffqxqsQX+otBvXvH2uNCcjjBNZ7y647LB+pj6W74GAM+ N1U95r5Jk2EJ5zoZsUIu/+ko9nsNCxHJTmtP4MVp2ikzvP9PGiGPoGSh0oV+v+r7MZdv Vp9ewkHy69beXRemVIYq91MQAffbnDJaNyzhPa6M+2QPV0Zpy+Dg2ZLUgdaDHss66W11 tPiBEKuEvaja6uT5LxUXY4KN7hQ3RjI9gCSGFy5nvxuCdWk3VTtgl6YwmgGYDr6MRowY N8gUUA2dr5KKy8uSMeAQ2iCemasMieSg9m8mxwAg4QhoOvmRtC3ppkCCzvAkIkV5+9Fx WglA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=BOHE+qL69xvYYwylX0OwFDrNP0HPj/A9B2OqQhZ3xRI=; b=WnOcw1MQIUApyBucYODZCw50FVRcFTLtCk52P8s+zI10mtoUIfjW2c1ahDJ6mBX6ZS eIA9V9EpT7Hr2ritOzkZMloOjFqeMV4otSLbq5nij2a8xSik0Fn+1DXWvZAfuuEKgbrb Z/eGAeHFsaXRFj8Pl6QeBj8/dryi4vMxAQuiSG6UAOYtVGMwLXrArJL4Dr8YyBzZN19y vkq3TNsSxuYikqg0LphKL+/SqMGHKQJqXDIs2D1kyfLS+1XZ8bFl1Sb8HJngAI8dDatT JO5oyH0fkd/hO0YUUR1xxqaS0CYBQhg6gcxxZTY5FR/oeN2im8eWeeOXLD6OV5PzjYmf ly6w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=tQRFUzFq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r16si28098052pfk.363.2017.11.28.12.20.39; Tue, 28 Nov 2017 12:20:50 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=tQRFUzFq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753520AbdK1USm (ORCPT + 70 others); Tue, 28 Nov 2017 15:18:42 -0500 Received: from mail-qk0-f194.google.com ([209.85.220.194]:44394 "EHLO mail-qk0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752892AbdK1USj (ORCPT ); Tue, 28 Nov 2017 15:18:39 -0500 Received: by mail-qk0-f194.google.com with SMTP id h19so1507269qkj.11; Tue, 28 Nov 2017 12:18:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=BOHE+qL69xvYYwylX0OwFDrNP0HPj/A9B2OqQhZ3xRI=; b=tQRFUzFqFfn9x+FOtVA3hiSKPFIG4yJRAnNJomz1TUc+fHOO3SgGdgmFZytv3yn9tF BEESLjo+bsq0xndII4fUo2Hus/t+BCaQmAupw56iMgtPHqfwjXoCWkNXMNhbP55K45kA +H3qgjrKp6e7sG9MXlbSK5zb5wmoEAv5EYD7SjBEOi8eEd57om1D6g7RPFgs+llVyqSk yG1ukPeJg8gGvUgPZNLJNbcjzUtbhG50Kq2mPJzZjii0l8IaVMJuEV8JZxQXEmxNjMG/ a65VtAC/xJyoKgWHcVkRviKJfOW8dcFib751eqafZ8k+KvoKq7gTjjzcatFvtwlRKDZQ QHgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=BOHE+qL69xvYYwylX0OwFDrNP0HPj/A9B2OqQhZ3xRI=; b=PJbOARAfCN2fa825AIxAFbUUnE1eBeqiCzRJuG/1Wh8QTkpEFrqaP1v5uJpIc3QGjO imO7VQ9w5t4YrarG25Jz0vYHFyHZ6OhW1Op7BjrMco8Vv6FzEBnuurhljGcIAoevN2P3 JT06FBquTPlHgasuge14IZEmZBahxnD5gW7kN+5XlsIi6FLA4+n/3XXbr4ZaA67MfchF LY6b2tCCNqVio4EoNgCi8oQY9PzP1NuxRgLfJxMJqZYM3ONEz5oS5PQxYYQ07aFdhb/o Cjktkmd/906p/8tLXNOtSrsjqBhtGw9BME6GfofGsgZOZPArSiIihaXKug9xkCQnRmjF Rg+g== X-Gm-Message-State: AJaThX5Cu4YAJwo0kGgsHfS5i4RTMW+JE92xVfs7INNUArUY83QLsfk7 m2dR52xOKPGo28mvjosFH71A5qLcNvkshaJ5dco= X-Received: by 10.55.214.133 with SMTP id p5mr676091qkl.212.1511900318759; Tue, 28 Nov 2017 12:18:38 -0800 (PST) MIME-Version: 1.0 Received: by 10.140.31.132 with HTTP; Tue, 28 Nov 2017 12:18:38 -0800 (PST) In-Reply-To: <20171128191405.GO729@wotan.suse.de> References: <1511803118-2552-1-git-send-email-tixxdz@gmail.com> <1511803118-2552-2-git-send-email-tixxdz@gmail.com> <20171128191405.GO729@wotan.suse.de> From: Djalal Harouni Date: Tue, 28 Nov 2017 21:18:38 +0100 Message-ID: Subject: Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap() To: "Luis R. Rodriguez" Cc: Kees Cook , Andy Lutomirski , Andrew Morton , James Morris , Ben Hutchings , Solar Designer , Serge Hallyn , Jessica Yu , Rusty Russell , linux-kernel , LSM List , kernel-hardening@lists.openwall.com, Jonathan Corbet , Ingo Molnar , "David S. Miller" , Network Development , Peter Zijlstra , Linus Torvalds Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Luis, On Tue, Nov 28, 2017 at 8:14 PM, Luis R. Rodriguez wrote: > On Mon, Nov 27, 2017 at 06:18:34PM +0100, Djalal Harouni wrote: > ... > >> After a discussion with Rusty Russell [1], the suggestion was to pass >> the capability from request_module() to security_kernel_module_request() >> for 'netdev-%s' modules that need CAP_NET_ADMIN, and after review from >> Kees Cook [2] and experimenting with the code, the patch now does the >> following: >> >> * Adds the request_module_cap() function. >> * Updates the __request_module() to take the "required_cap" argument >> with the "prefix". > > ... > >> Signed-off-by: Djalal Harouni >> --- >> diff --git a/kernel/kmod.c b/kernel/kmod.c >> index bc6addd..679d401 100644 >> --- a/kernel/kmod.c >> +++ b/kernel/kmod.c >> @@ -139,13 +147,22 @@ int __request_module(bool wait, const char *fmt, ...) >> if (!modprobe_path[0]) >> return 0; >> >> + /* >> + * Lets attach the prefix to the module name >> + */ >> + if (prefix != NULL && *prefix != '\0') { >> + len += snprintf(module_name, MODULE_NAME_LEN, "%s-", prefix); >> + if (len >= MODULE_NAME_LEN) >> + return -ENAMETOOLONG; >> + } >> + >> va_start(args, fmt); >> - ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args); >> + ret = vsnprintf(module_name + len, MODULE_NAME_LEN - len, fmt, args); >> va_end(args); >> - if (ret >= MODULE_NAME_LEN) >> + if (ret >= MODULE_NAME_LEN - len) >> return -ENAMETOOLONG; >> >> - ret = security_kernel_module_request(module_name); >> + ret = security_kernel_module_request(module_name, required_cap, prefix); >> if (ret) >> return ret; >> > > kmod is just a helper to poke userpsace to load a module, that's it. > > The old init_module() and newer finit_module() do the real handy work or > module loading, and both currently only use may_init_module(): > > static int may_init_module(void) > { > if (!capable(CAP_SYS_MODULE) || modules_disabled) > return -EPERM; > > return 0; > } > > This begs the question: > > o If userspace just tries to just use raw finit_module() do we want similar > checks? > > Otherwise, correct me if I'm wrong this all seems pointless. > > If we want something similar I think we might need to be processing aliases and > check for the aliases for their desired restrictions on finit_module(), > otherwise userspace can skip through the checks if the module name does not > match the alias prefix. > > To be clear, aliases are completely ignored today on load_module(), so loading > 'xfs' with finit_module() will just have the kernel know about 'xfs' not > 'fs-xfs'. > > So we currently do not process aliases in kernel. > > I have debugging patches to enable us to process them, but they are just for > debugging and I've been meaning to send them in for review. I designed them > only for debugging given last time someone suggested for aliases processing to > be added, the only use case we found was a pre-optimizations we decided to avoid > pursuing. Debugging is a good reason to have alias processing in-kernel though. > > The pre-optimization we decided to stay away from was to check if the requested > module via request_module() was already loaded *and* also check if the name passed > matches any of the existing module aliases for currently loaded modules. Today > request_module() does not even check if a requested module is already loaded, > its a stupid loader, it just goes to userspace, and lets userspace figure it > out. Userspace in turn could check for aliases, but it could lie, or not be up > to date to do that. > > The pre-optmization is a theoretical gain only then, and if userspace had > proper alias checking it is arguable that it may perform just as equal. > To help valuate these sorts of things we now have: > > tools/testing/selftests/kmod/kmod.sh > > So further patches can use and test impact with it. > > Anyway -- so aliasing is currently only a debugging consideration, but without > processing aliases, all this work seems pointless to me as the real loader is > in finit_module(). These patchset are about module auto-loading which is triggered from multiple paths in the kernel, the cover letter notes all the differences between the two operations and why the explicit one and "modules_disabled=1" is already a pain. The finit_module() is covered directly by CAP_SYS_MODULE, and for aliasing I am not sure how it will be related or how userspace will maintain it, we do not have a use case for it, we want a simple flag. Thank you! -- tixxdz From 1585342003714761434@xxx Tue Nov 28 20:12:31 +0000 2017 X-GM-THRID: 1585240691370988488 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread