Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 29 Nov 2017 13:46:12 +0000
From: Alan Cox <gnomes@...rguk.ukuu.org.uk>
To: Kees Cook <keescook@...omium.org>
Cc: "Luis R. Rodriguez" <mcgrof@...nel.org>,
        Djalal Harouni
 <tixxdz@...il.com>, Andy Lutomirski <luto@...nel.org>,
        Andrew Morton
 <akpm@...ux-foundation.org>,
        James Morris <james.l.morris@...cle.com>,
        Ben
 Hutchings <ben.hutchings@...ethink.co.uk>,
        Solar Designer
 <solar@...nwall.com>, Serge Hallyn <serge@...lyn.com>,
        Jessica Yu
 <jeyu@...nel.org>, Rusty Russell <rusty@...tcorp.com.au>,
        LKML
 <linux-kernel@...r.kernel.org>,
        linux-security-module
 <linux-security-module@...r.kernel.org>,
        kernel-hardening@...ts.openwall.com, Jonathan Corbet <corbet@....net>,
        Ingo
 Molnar <mingo@...nel.org>,
        "David S. Miller" <davem@...emloft.net>,
        Network
 Development <netdev@...r.kernel.org>,
        Peter Zijlstra
 <peterz@...radead.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: [PATCH v5 next 1/5] modules:capabilities: add
 request_module_cap()

On Tue, 28 Nov 2017 13:39:58 -0800
Kees Cook <keescook@...omium.org> wrote:

> On Tue, Nov 28, 2017 at 1:16 PM, Luis R. Rodriguez <mcgrof@...nel.org> wrote:
> > And *all* auto-loading uses aliases? What's the difference between auto-loading
> > and direct-loading?  
> 
> The difference is the process privileges. Unprivilged autoloading
> (e.g. int n_hdlc = N_HDLC; ioctl(fd,
> TIOCSETD, &n_hdlc)), triggers a privileged call to finit_module()
> under CAP_SYS_MODULE.

If you have CAP_SYS_DAC you can rename any module to ppp.ko and ask the
network manager (which has the right permissions) to init a ppp
connection. Capabilities alone are simply not enough to do any kind of
useful protection on a current system and the Linux capability model is
broken architecturally and not fixable because fixing it would break lots
of real systems.

I really don't care what the module loading rules end up with and whether
we add CAP_SYS_YET_ANOTHER_MEANINGLESS_FLAG but what is actually needed
is to properly incorporate it into securiy ruiles for whatever LSM you
are using.

Alan

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.