Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753276Ab1B1Jvm (ORCPT <rfc822;w@1wt.eu>);
	Mon, 28 Feb 2011 04:51:42 -0500
Received: from mail-bw0-f46.google.com ([209.85.214.46]:33473 "EHLO
	mail-bw0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752886Ab1B1Jvk (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 28 Feb 2011 04:51:40 -0500
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=sender:date:from:to:cc:subject:message-id:references:mime-version
         :content-type:content-disposition:in-reply-to:user-agent;
        b=Z2YZl5I1vnUqtYtXxz7Sks8BvQL3onv0r66K0NojdEtwZJPtmEnE1kfU8AALs7mPrV
         OK23hwS/LVmuLNMiNkIrU1yu0nz+AAk81dYkA4pUisNxlM8ZsTdPQOcrd3is5oiBjnLf
         Xnzg/P1e+SgzZw+2DCL+S2uS4qHrmd6ASliEo=
Date: Mon, 28 Feb 2011 12:51:33 +0300
From: Vasiliy Kulikov <segoon@openwall.com>
To: Michael Tokarev <mjt@tls.msk.ru>
Cc: Arnd Bergmann <arnd@arndb.de>,
        =?utf-8?B?TWljaGHFgiBNaXJvc8WCYXc=?= <mirqus@gmail.com>,
        Ben Hutchings <bhutchings@solarflare.com>,
        David Miller <davem@davemloft.net>, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, kuznet@ms2.inr.ac.ru, pekkas@netcore.fi,
        jmorris@namei.org, yoshfuji@linux-ipv6.org, kaber@trash.net,
        eric.dumazet@gmail.com, therbert@google.com, xiaosuo@gmail.com,
        jesse@nicira.com, kees.cook@canonical.com, eugene@redhat.com,
        dan.j.rosenberg@gmail.com, akpm@linux-foundation.org
Subject: Re: [PATCH] don't allow CAP_NET_ADMIN to load non-netdev kernel
 modules
Message-ID: <20110228095133.GA4351@albatros>
References: <1298660879.2554.23.camel@bwh-desktop>
 <1298666310.2554.47.camel@bwh-desktop>
 <AANLkTikmtKksP6o1hecf0=ZnRv0j4+_Q326UEG8ss16k@mail.gmail.com>
 <201102272122.52643.arnd@arndb.de>
 <4D6B6AE7.2050202@msgid.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4D6B6AE7.2050202@msgid.tls.msk.ru>
User-Agent: Mutt/1.5.20 (2009-06-14)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1641
Lines: 49

On Mon, Feb 28, 2011 at 12:29 +0300, Michael Tokarev wrote:
> 27.02.2011 23:22, Arnd Bergmann wrote:
> > The backwards compatibility should mostly be for systems that today don't
> > use split capabilities, right?
> > 
> > The fallback could therefore rely on CAP_SYS_MODULE as well:
> > 
> > 	if (request_module("netdev-%s", name)) {
> > 		if (capable(CAP_SYS_MODULE))
> > 			request_module("%s", name);
> > 	}
> > 
> > Not 100% solution, but should solve the capability escalation nicely without
> > causing much pain.
> 
> To me this looks like the best solution so far - trivial and
> compatible.

Agreed, it's looks good.  But before the request_module() there is a check
for capabile(CAP_NET_ADMIN), IMO it's better to request either
CAP_NET_ADMIN or CAP_SYS_MODULE, not both of them.

	if (!dev) {
        if (capable(CAP_NET_ADMIN))
            request_module("netdev-%s", name))
        if (capable(CAP_SYS_MODULE) {
            if (!request_module("%s", name))
                WARN_ONE(1, "Loading kernel module for a network device"
" with CAP_SYS_MODULE (deprecated).  Use CAP_NET_ADMIN and alias"
" netdev-%s instead\n", name);
        }
    }

The only drawback is distributions/setups that already use
CAP_SYS_MODULE'less network scripts.

David, are you OK with this way?


Thanks,

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/