Date: Mon, 27 Nov 2017 22:31:54 +0100 From: Djalal Harouni <tixxdz@...il.com> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: Kees Cook <keescook@...omium.org>, Andy Lutomirski <luto@...nel.org>, Andrew Morton <akpm@...ux-foundation.org>, "Luis R. Rodriguez" <mcgrof@...nel.org>, James Morris <james.l.morris@...cle.com>, Ben Hutchings <ben.hutchings@...ethink.co.uk>, Solar Designer <solar@...nwall.com>, Serge Hallyn <serge@...lyn.com>, Jessica Yu <jeyu@...nel.org>, Rusty Russell <rusty@...tcorp.com.au>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, LSM List <linux-security-module@...r.kernel.org>, "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, Jonathan Corbet <corbet@....net>, Ingo Molnar <mingo@...nel.org>, "David S. Miller" <davem@...emloft.net>, Network Development <netdev@...r.kernel.org>, Peter Zijlstra <peterz@...radead.org> Subject: Re: [PATCH v5 next 0/5] Improve Module autoloading infrastructure Hi Linus, On Mon, Nov 27, 2017 at 8:12 PM, Linus Torvalds <torvalds@...ux-foundation.org> wrote: > On Mon, Nov 27, 2017 at 11:02 AM, Linus Torvalds > <torvalds@...ux-foundation.org> wrote: >> >> Now, the above will not necessarily work with a legacy /dev/ directory >> where al the nodes have been pre-populated, and opening the device >> node is supposed to load the module. So _historically_ we did indeed >> load modules as normal users. But does that really happen any more? > > Sadly, it looks like bluetoothd actually does expect to load the > bt-proto-XYZ modules with no capabilities at all. > > So apparently we really do depend on not needing capabilities for > module loading. > > Oh well. Yes DCCP is unprivileged, tun and all tunneling, some md drivers, some crypto, and device drivers... fs modules can be loaded inside usernamespaces, and maybe when some request requires external symbols too... However tunneling helps to solve real usecases, so that's why the backward compatibility and opt-in. I do perfectly understand that opt-in is not the best choice, however these patchset includes a per process tree, and given that lot of code is running in containers and sandboxes, it is better than nothing. I will follow up later with patches to the major ones especially when we force the flag by default. Ubuntu was said to be owned in a past security contest due to this kind of things, and now since they have ubuntu snaps or apps they can set the flag, and others will follow. Thanks! > Linus -- tixxdz
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.