* Domain of kernel module initalization code
@ 2016-12-27 11:01 Luis Ressel
2016-12-27 18:25 ` Stephen Smalley
0 siblings, 1 reply; 2+ messages in thread
From: Luis Ressel @ 2016-12-27 11:01 UTC (permalink / raw)
To: selinux
Hello,
when a userspace program A (usually kmod or udev) instructs the kernel
to load a kernel module via the finit_module syscall, the kernel loads
the module into its address space and executes the initalization
routine provided by the module.
This initialization routine then runs in A's SELinux domain. While that
makes sense implementation-wise and is indeed what I'd expected (going
by my admittely fairly basic understanding of the SELinux internals),
I'm not sure whether this is how the kernel should behave.
For example, this behaviour is currently triggering a bug on my
systems: Since Linux 4.8, most graphics drivers need CAP_SYS_ADMIN
during their module initialization (due to what is probably a kernel
bug). Hence, loading them with udev works fine because my SELinux
policy allows udev to use this capability, but those modules can't be
loaded manually with kmod/modprobe.
I could of course work around that by granting kmod the 'self:capability
sys_admin' permission, but I'm reluctant to do this since kmod itself
does not require CAP_SYS_ADMIN for its operations.
Any thoughts on this matter?
Regards,
Luis Ressel
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Domain of kernel module initalization code
2016-12-27 11:01 Domain of kernel module initalization code Luis Ressel
@ 2016-12-27 18:25 ` Stephen Smalley
0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2016-12-27 18:25 UTC (permalink / raw)
To: Luis Ressel; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 1531 bytes --]
On Dec 27, 2016 6:04 AM, "Luis Ressel" <aranea@aixah.de> wrote:
Hello,
when a userspace program A (usually kmod or udev) instructs the kernel
to load a kernel module via the finit_module syscall, the kernel loads
the module into its address space and executes the initalization
routine provided by the module.
This initialization routine then runs in A's SELinux domain. While that
makes sense implementation-wise and is indeed what I'd expected (going
by my admittely fairly basic understanding of the SELinux internals),
I'm not sure whether this is how the kernel should behave.
For example, this behaviour is currently triggering a bug on my
systems: Since Linux 4.8, most graphics drivers need CAP_SYS_ADMIN
during their module initialization (due to what is probably a kernel
bug). Hence, loading them with udev works fine because my SELinux
policy allows udev to use this capability, but those modules can't be
loaded manually with kmod/modprobe.
I could of course work around that by granting kmod the 'self:capability
sys_admin' permission, but I'm reluctant to do this since kmod itself
does not require CAP_SYS_ADMIN for its operations.
Any thoughts on this matter?
Perhaps the kernel should switch to the init task cred before executing the
module init code.
Regards,
Luis Ressel
_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
To get help, send an email containing "help" to
Selinux-request@tycho.nsa.gov.
[-- Attachment #2: Type: text/html, Size: 2430 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-12-27 18:25 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-12-27 11:01 Domain of kernel module initalization code Luis Ressel
2016-12-27 18:25 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.