Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753276Ab1B1Jvm (ORCPT ); Mon, 28 Feb 2011 04:51:42 -0500 Received: from mail-bw0-f46.google.com ([209.85.214.46]:33473 "EHLO mail-bw0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752886Ab1B1Jvk (ORCPT ); Mon, 28 Feb 2011 04:51:40 -0500 DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; b=Z2YZl5I1vnUqtYtXxz7Sks8BvQL3onv0r66K0NojdEtwZJPtmEnE1kfU8AALs7mPrV OK23hwS/LVmuLNMiNkIrU1yu0nz+AAk81dYkA4pUisNxlM8ZsTdPQOcrd3is5oiBjnLf Xnzg/P1e+SgzZw+2DCL+S2uS4qHrmd6ASliEo= Date: Mon, 28 Feb 2011 12:51:33 +0300 From: Vasiliy Kulikov To: Michael Tokarev Cc: Arnd Bergmann , =?utf-8?B?TWljaGHFgiBNaXJvc8WCYXc=?= , Ben Hutchings , David Miller , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, kuznet@ms2.inr.ac.ru, pekkas@netcore.fi, jmorris@namei.org, yoshfuji@linux-ipv6.org, kaber@trash.net, eric.dumazet@gmail.com, therbert@google.com, xiaosuo@gmail.com, jesse@nicira.com, kees.cook@canonical.com, eugene@redhat.com, dan.j.rosenberg@gmail.com, akpm@linux-foundation.org Subject: Re: [PATCH] don't allow CAP_NET_ADMIN to load non-netdev kernel modules Message-ID: <20110228095133.GA4351@albatros> References: <1298660879.2554.23.camel@bwh-desktop> <1298666310.2554.47.camel@bwh-desktop> <201102272122.52643.arnd@arndb.de> <4D6B6AE7.2050202@msgid.tls.msk.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4D6B6AE7.2050202@msgid.tls.msk.ru> User-Agent: Mutt/1.5.20 (2009-06-14) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1641 Lines: 49 On Mon, Feb 28, 2011 at 12:29 +0300, Michael Tokarev wrote: > 27.02.2011 23:22, Arnd Bergmann wrote: > > The backwards compatibility should mostly be for systems that today don't > > use split capabilities, right? > > > > The fallback could therefore rely on CAP_SYS_MODULE as well: > > > > if (request_module("netdev-%s", name)) { > > if (capable(CAP_SYS_MODULE)) > > request_module("%s", name); > > } > > > > Not 100% solution, but should solve the capability escalation nicely without > > causing much pain. > > To me this looks like the best solution so far - trivial and > compatible. Agreed, it's looks good. But before the request_module() there is a check for capabile(CAP_NET_ADMIN), IMO it's better to request either CAP_NET_ADMIN or CAP_SYS_MODULE, not both of them. if (!dev) { if (capable(CAP_NET_ADMIN)) request_module("netdev-%s", name)) if (capable(CAP_SYS_MODULE) { if (!request_module("%s", name)) WARN_ONE(1, "Loading kernel module for a network device" " with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias" " netdev-%s instead\n", name); } } The only drawback is distributions/setups that already use CAP_SYS_MODULE'less network scripts. David, are you OK with this way? Thanks, -- Vasiliy Kulikov http://www.openwall.com - bringing security into open computing environments -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/