Date: Mon, 27 Nov 2017 11:02:20 -0800 From: Linus Torvalds <torvalds@...ux-foundation.org> To: Djalal Harouni <tixxdz@...il.com> Cc: Kees Cook <keescook@...omium.org>, Andy Lutomirski <luto@...nel.org>, Andrew Morton <akpm@...ux-foundation.org>, "Luis R. Rodriguez" <mcgrof@...nel.org>, James Morris <james.l.morris@...cle.com>, Ben Hutchings <ben.hutchings@...ethink.co.uk>, Solar Designer <solar@...nwall.com>, Serge Hallyn <serge@...lyn.com>, Jessica Yu <jeyu@...nel.org>, Rusty Russell <rusty@...tcorp.com.au>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, LSM List <linux-security-module@...r.kernel.org>, "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, Jonathan Corbet <corbet@....net>, Ingo Molnar <mingo@...nel.org>, "David S. Miller" <davem@...emloft.net>, Network Development <netdev@...r.kernel.org>, Peter Zijlstra <peterz@...radead.org> Subject: Re: [PATCH v5 next 0/5] Improve Module autoloading infrastructure On Mon, Nov 27, 2017 at 10:41 AM, Linus Torvalds <torvalds@...ux-foundation.org> wrote: > > What are the real life use-cases for normal users having modules auto-load? Well, I could do some testing. One case is apparently both bluetoothd and ip6tables that have been converted to indeed use CAP_NET_ADMIN. Annoying. Still, can't we just say "you need to have capabilities" and leave it at that? Something (UNTESTED and whitespace damaged) like this: diff --git a/kernel/kmod.c b/kernel/kmod.c index bc6addd9152b..a3f3218f66c6 100644 --- a/kernel/kmod.c +++ b/kernel/kmod.c @@ -139,6 +139,11 @@ int __request_module(bool wait, const char *fmt, ...) if (!modprobe_path) return 0; + if (WARN_ON_ONCE(!capable(CAP_SYS_MODULE) || + !capable(CAP_SYS_ADMIN) || + !capable(CAP_NET_ADMIN))) + return -EPERM; + va_start(args, fmt); ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args); va_end(args); instead of adding complex infrastructure for something people might not want anyway? Now, the above will not necessarily work with a legacy /dev/ directory where al the nodes have been pre-populated, and opening the device node is supposed to load the module. So _historically_ we did indeed load modules as normal users. But does that really happen any more? I'd hate to default to historical behavior if there's no actual reason to do so. Linus
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.