All of lore.kernel.org
 help / color / mirror / Atom feed
From: Ben Hutchings <bhutchings@solarflare.com>
To: Valdis.Kletnieks@vt.edu
Cc: Vasiliy Kulikov <segoon@openwall.com>,
	"David S. Miller" <davem@davemloft.net>,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
	"Pekka Savola (ipv6)" <pekkas@netcore.fi>,
	James Morris <jmorris@namei.org>,
	Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
	Patrick McHardy <kaber@trash.net>,
	Eric Dumazet <eric.dumazet@gmail.com>,
	Tom Herbert <therbert@google.com>,
	Changli Gao <xiaosuo@gmail.com>, Jesse Gross <jesse@nicira.com>
Subject: Re: [PATCH] don't allow CAP_NET_ADMIN to load non-netdev kernel modules
Date: Fri, 25 Feb 2011 17:48:14 +0000	[thread overview]
Message-ID: <1298656094.2554.22.camel@bwh-desktop> (raw)
In-Reply-To: <135187.1298654740@localhost>

On Fri, 2011-02-25 at 12:25 -0500, Valdis.Kletnieks@vt.edu wrote:
> On Fri, 25 Feb 2011 18:14:14 +0300, Vasiliy Kulikov said:
> > Since a8f80e8ff94ecba629542d9b4b5f5a8ee3eb565c any process with
> > CAP_NET_ADMIN may load any module from /lib/modules/.  This doesn't mean
> > that CAP_NET_ADMIN is a superset of CAP_SYS_MODULE as modules are limited
> > to /lib/modules/**.  However, CAP_NET_ADMIN capability shouldn't allow
> > anybody load any module not related to networking.
> > 
> > This patch restricts an ability of autoloading modules to netdev modules
> > with explicit aliases.  Currently there are only three users of the
> > feature: ipip, ip_gre and sit.
> 
> And you stop an attacker from simply recompiling the module with a suitable
> MODULE_ALIAS line added, how, exactly?  This patch may make sense down the
> road, but not while it's still trivial for a malicious root user to drop stuff
> into /lib/modules.

A process running as root normally has CAP_NET_ADMIN, but not every
process with CAP_NET_ADMIN will be running as root.

> And if you're going the route "but SELinux/SMACK/Tomoyo will prevent a malicious
> root user from doing that", then the obvious reply is "this should be part of those
> subsystems rather than something done one-off like this (especially as it has a chance
> of breaking legitimate setups that use the current scheme).

The notional attacker has CAP_NET_ADMIN, perhaps through a vulnerable
service or a vulnerable set-capability executable.  They do not yet have
full root access and so cannot install a module, even in the absence of
an LSM.

So long as the attacker is able to load arbitrary modules, however, they
could exploit a vulnerability in any installed (not loaded) module.
Again, LSMs are irrelevant to this as they do not protect against kernel
bugs.

Ben.

-- 
Ben Hutchings, Senior Software Engineer, Solarflare Communications
Not speaking for my employer; that's the marketing department's job.
They asked us to note that Solarflare product names are trademarked.


  parent reply	other threads:[~2011-02-25 17:48 UTC|newest]

Thread overview: 54+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-02-24 15:12 module loading with CAP_NET_ADMIN Vasiliy Kulikov
2011-02-24 16:34 ` Ben Hutchings
2011-02-25 12:30   ` Vasiliy Kulikov
2011-02-25 15:14     ` [PATCH] don't allow CAP_NET_ADMIN to load non-netdev kernel modules Vasiliy Kulikov
2011-02-25 17:25       ` Valdis.Kletnieks
2011-02-25 17:47         ` Vasiliy Kulikov
2011-02-25 17:48         ` Ben Hutchings [this message]
2011-02-25 18:47       ` David Miller
2011-02-25 19:02         ` Vasiliy Kulikov
2011-02-25 19:05           ` David Miller
2011-02-25 19:07             ` Ben Hutchings
2011-02-25 19:16               ` David Miller
2011-02-25 19:30                 ` Ben Hutchings
2011-02-25 19:43                   ` David Miller
2011-02-25 19:53                     ` Ben Hutchings
2011-02-25 20:37                       ` David Miller
2011-02-25 20:38                       ` Ben Hutchings
2011-02-25 20:59                         ` Michał Mirosław
2011-02-27 20:22                           ` Arnd Bergmann
2011-02-28  9:29                             ` Michael Tokarev
2011-02-28  9:51                               ` Vasiliy Kulikov
2011-02-28 19:23                                 ` David Miller
2011-03-01 19:48                                   ` [PATCH] net: " Vasiliy Kulikov
2011-03-01 20:13                                     ` Ben Hutchings
2011-03-01 21:33                                       ` [PATCH v2] " Vasiliy Kulikov
2011-03-02  7:15                                         ` Michael Tokarev
2011-03-09 22:06                                           ` Vasiliy Kulikov
2011-03-09 22:09                                             ` David Miller
2011-03-09 22:53                                               ` James Morris
2011-03-10  9:49                                                 ` Vasiliy Kulikov
2011-03-02 16:01                                         ` Kees Cook
2011-03-02 19:39                                         ` Jake Edge
2011-03-02 19:43                                           ` Vasiliy Kulikov
2011-03-02 19:49                                             ` Jake Edge
2011-03-02 20:18                                               ` Vasiliy Kulikov
2011-03-02 20:38                                                 ` Jake Edge
2011-03-02 20:40                                                 ` Jake Edge
2011-03-22 20:47                                         ` Eric Paris
2011-03-22 20:47                                           ` Eric Paris
2011-03-24 15:37                                           ` Serge E. Hallyn
2011-03-24 18:03                                             ` Eric Paris
2011-03-24 18:33                                               ` Ben Hutchings
2011-03-24 20:26                                                 ` Serge E. Hallyn
2011-03-24 21:39                                                   ` Stephen Hemminger
2011-03-24 21:46                                                     ` David Miller
2011-03-24 21:57                                                       ` Serge E. Hallyn
2011-03-24 22:15                                                         ` Eric Paris
2011-03-24 21:57                                                       ` Greg KH
2011-03-26 10:35                                                       ` Vasiliy Kulikov
2011-02-27 11:44                 ` [PATCH] " Vasiliy Kulikov
2011-02-27 23:18                   ` David Miller
2011-02-27 23:19                   ` David Miller
2011-02-25 15:29     ` module loading with CAP_NET_ADMIN Michael Tokarev
2011-02-25 15:57       ` Vasiliy Kulikov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1298656094.2554.22.camel@bwh-desktop \
    --to=bhutchings@solarflare.com \
    --cc=Valdis.Kletnieks@vt.edu \
    --cc=davem@davemloft.net \
    --cc=eric.dumazet@gmail.com \
    --cc=jesse@nicira.com \
    --cc=jmorris@namei.org \
    --cc=kaber@trash.net \
    --cc=kuznet@ms2.inr.ac.ru \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pekkas@netcore.fi \
    --cc=segoon@openwall.com \
    --cc=therbert@google.com \
    --cc=xiaosuo@gmail.com \
    --cc=yoshfuji@linux-ipv6.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.