From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753360AbdK1WTB (ORCPT ); Tue, 28 Nov 2017 17:19:01 -0500 Received: from mx2.suse.de ([195.135.220.15]:40522 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752517AbdK1WS7 (ORCPT ); Tue, 28 Nov 2017 17:18:59 -0500 Date: Tue, 28 Nov 2017 23:18:56 +0100 From: "Luis R. Rodriguez" To: Djalal Harouni Cc: "Luis R. Rodriguez" , Kees Cook , Andy Lutomirski , Andrew Morton , James Morris , Ben Hutchings , Solar Designer , Serge Hallyn , Jessica Yu , Rusty Russell , LKML , linux-security-module , kernel-hardening@lists.openwall.com, Jonathan Corbet , Ingo Molnar , "David S. Miller" , Network Development , Peter Zijlstra , Linus Torvalds Subject: Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap() Message-ID: <20171128221856.GS729@wotan.suse.de> References: <1511803118-2552-1-git-send-email-tixxdz@gmail.com> <1511803118-2552-2-git-send-email-tixxdz@gmail.com> <20171128191405.GO729@wotan.suse.de> <20171128211659.GP729@wotan.suse.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.0 (2016-04-01) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 28, 2017 at 10:33:27PM +0100, Djalal Harouni wrote: > On Tue, Nov 28, 2017 at 10:16 PM, Luis R. Rodriguez wrote: > > On Tue, Nov 28, 2017 at 12:11:34PM -0800, Kees Cook wrote: > >> On Tue, Nov 28, 2017 at 11:14 AM, Luis R. Rodriguez wrote: > >> > kmod is just a helper to poke userpsace to load a module, that's it. > >> > > >> > The old init_module() and newer finit_module() do the real handy work or > >> > module loading, and both currently only use may_init_module(): > >> > > >> > static int may_init_module(void) > >> > { > >> > if (!capable(CAP_SYS_MODULE) || modules_disabled) > >> > return -EPERM; > >> > > >> > return 0; > >> > } > >> > > >> > This begs the question: > >> > > >> > o If userspace just tries to just use raw finit_module() do we want similar > >> > checks? > >> > > >> > Otherwise, correct me if I'm wrong this all seems pointless. > >> > >> Hm? That's direct-loading, not auto-loading. This series is only about > >> auto-loading. > > > > And *all* auto-loading uses aliases? What's the difference between auto-loading > > and direct-loading? > > Not all auto-loading uses aliases, auto-loading is when kernel code > calls request_module() to loads the feature that was not present, It seems the actual interest here is system call implicated request_module() calls? Because there are uses of request_module() which may be module hacks, and not implicated via system calls. > and direct-loading in this thread is the direct syscalls like > finit_module(). OK. > >> We already have a global sysctl for blocking direct-loading (modules_disabled). > > > > My point was that even if you have a CAP_NET_ADMIN check on request_module(), > > finit_module() will not check for it, so a crafty userspace could still try > > to just finit_module() directly, and completely then bypass the CAP_NET_ADMIN > > check. > > The finit_module() uses CAP_SYS_MODULE which should allow all modules > and in this context it should be more privileged than CAP_NET_ADMIN > which is only for "netdev-%s" (to not load arbitrary modules with it). > > finit_module() coming from request_module() always has the > CAP_NET_ADMIN, hence the check is done before. But since CAP_SYS_MODULE is more restrictive, what's the point in checking for CAP_NET_ADMIN? > > So unless I'm missing something, I see no point in adding extra checks for > > request_module() but nothing for the respective load_module(). > > I see, request_module() is called from kernel context which runs in > init namespace will full capabilities, the spawned userspace modprobe > will get CAP_SYS_MODULE and all other caps, then after comes modprobe > and load_module(). Right, so defining the gains of adding this extra check is not very clear yet. It would seem a benefit exists, what is it? > Btw as suggested by Linus I will update with request_module_cap() and > I can > offer my help maintaining these bits too. Can you start by extending lib/test_module.c and tools/testing/selftests/kmod/kmod.sh with a proof of concept of the gains here, as well as ensuring things work as expected ? Luis From mboxrd@z Thu Jan 1 00:00:00 1970 From: mcgrof@kernel.org (Luis R. Rodriguez) Date: Tue, 28 Nov 2017 23:18:56 +0100 Subject: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap() In-Reply-To: References: <1511803118-2552-1-git-send-email-tixxdz@gmail.com> <1511803118-2552-2-git-send-email-tixxdz@gmail.com> <20171128191405.GO729@wotan.suse.de> <20171128211659.GP729@wotan.suse.de> Message-ID: <20171128221856.GS729@wotan.suse.de> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Tue, Nov 28, 2017 at 10:33:27PM +0100, Djalal Harouni wrote: > On Tue, Nov 28, 2017 at 10:16 PM, Luis R. Rodriguez wrote: > > On Tue, Nov 28, 2017 at 12:11:34PM -0800, Kees Cook wrote: > >> On Tue, Nov 28, 2017 at 11:14 AM, Luis R. Rodriguez wrote: > >> > kmod is just a helper to poke userpsace to load a module, that's it. > >> > > >> > The old init_module() and newer finit_module() do the real handy work or > >> > module loading, and both currently only use may_init_module(): > >> > > >> > static int may_init_module(void) > >> > { > >> > if (!capable(CAP_SYS_MODULE) || modules_disabled) > >> > return -EPERM; > >> > > >> > return 0; > >> > } > >> > > >> > This begs the question: > >> > > >> > o If userspace just tries to just use raw finit_module() do we want similar > >> > checks? > >> > > >> > Otherwise, correct me if I'm wrong this all seems pointless. > >> > >> Hm? That's direct-loading, not auto-loading. This series is only about > >> auto-loading. > > > > And *all* auto-loading uses aliases? What's the difference between auto-loading > > and direct-loading? > > Not all auto-loading uses aliases, auto-loading is when kernel code > calls request_module() to loads the feature that was not present, It seems the actual interest here is system call implicated request_module() calls? Because there are uses of request_module() which may be module hacks, and not implicated via system calls. > and direct-loading in this thread is the direct syscalls like > finit_module(). OK. > >> We already have a global sysctl for blocking direct-loading (modules_disabled). > > > > My point was that even if you have a CAP_NET_ADMIN check on request_module(), > > finit_module() will not check for it, so a crafty userspace could still try > > to just finit_module() directly, and completely then bypass the CAP_NET_ADMIN > > check. > > The finit_module() uses CAP_SYS_MODULE which should allow all modules > and in this context it should be more privileged than CAP_NET_ADMIN > which is only for "netdev-%s" (to not load arbitrary modules with it). > > finit_module() coming from request_module() always has the > CAP_NET_ADMIN, hence the check is done before. But since CAP_SYS_MODULE is more restrictive, what's the point in checking for CAP_NET_ADMIN? > > So unless I'm missing something, I see no point in adding extra checks for > > request_module() but nothing for the respective load_module(). > > I see, request_module() is called from kernel context which runs in > init namespace will full capabilities, the spawned userspace modprobe > will get CAP_SYS_MODULE and all other caps, then after comes modprobe > and load_module(). Right, so defining the gains of adding this extra check is not very clear yet. It would seem a benefit exists, what is it? > Btw as suggested by Linus I will update with request_module_cap() and > I can > offer my help maintaining these bits too. Can you start by extending lib/test_module.c and tools/testing/selftests/kmod/kmod.sh with a proof of concept of the gains here, as well as ensuring things work as expected ? Luis -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Tue, 28 Nov 2017 23:18:56 +0100 From: "Luis R. Rodriguez" Message-ID: <20171128221856.GS729@wotan.suse.de> References: <1511803118-2552-1-git-send-email-tixxdz@gmail.com> <1511803118-2552-2-git-send-email-tixxdz@gmail.com> <20171128191405.GO729@wotan.suse.de> <20171128211659.GP729@wotan.suse.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Subject: [kernel-hardening] Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap() To: Djalal Harouni Cc: "Luis R. Rodriguez" , Kees Cook , Andy Lutomirski , Andrew Morton , James Morris , Ben Hutchings , Solar Designer , Serge Hallyn , Jessica Yu , Rusty Russell , LKML , linux-security-module , kernel-hardening@lists.openwall.com, Jonathan Corbet , Ingo Molnar , "David S. Miller" , Network Development , Peter Zijlstra , Linus Torvalds List-ID: On Tue, Nov 28, 2017 at 10:33:27PM +0100, Djalal Harouni wrote: > On Tue, Nov 28, 2017 at 10:16 PM, Luis R. Rodriguez wrote: > > On Tue, Nov 28, 2017 at 12:11:34PM -0800, Kees Cook wrote: > >> On Tue, Nov 28, 2017 at 11:14 AM, Luis R. Rodriguez wrote: > >> > kmod is just a helper to poke userpsace to load a module, that's it. > >> > > >> > The old init_module() and newer finit_module() do the real handy work or > >> > module loading, and both currently only use may_init_module(): > >> > > >> > static int may_init_module(void) > >> > { > >> > if (!capable(CAP_SYS_MODULE) || modules_disabled) > >> > return -EPERM; > >> > > >> > return 0; > >> > } > >> > > >> > This begs the question: > >> > > >> > o If userspace just tries to just use raw finit_module() do we want similar > >> > checks? > >> > > >> > Otherwise, correct me if I'm wrong this all seems pointless. > >> > >> Hm? That's direct-loading, not auto-loading. This series is only about > >> auto-loading. > > > > And *all* auto-loading uses aliases? What's the difference between auto-loading > > and direct-loading? > > Not all auto-loading uses aliases, auto-loading is when kernel code > calls request_module() to loads the feature that was not present, It seems the actual interest here is system call implicated request_module() calls? Because there are uses of request_module() which may be module hacks, and not implicated via system calls. > and direct-loading in this thread is the direct syscalls like > finit_module(). OK. > >> We already have a global sysctl for blocking direct-loading (modules_disabled). > > > > My point was that even if you have a CAP_NET_ADMIN check on request_module(), > > finit_module() will not check for it, so a crafty userspace could still try > > to just finit_module() directly, and completely then bypass the CAP_NET_ADMIN > > check. > > The finit_module() uses CAP_SYS_MODULE which should allow all modules > and in this context it should be more privileged than CAP_NET_ADMIN > which is only for "netdev-%s" (to not load arbitrary modules with it). > > finit_module() coming from request_module() always has the > CAP_NET_ADMIN, hence the check is done before. But since CAP_SYS_MODULE is more restrictive, what's the point in checking for CAP_NET_ADMIN? > > So unless I'm missing something, I see no point in adding extra checks for > > request_module() but nothing for the respective load_module(). > > I see, request_module() is called from kernel context which runs in > init namespace will full capabilities, the spawned userspace modprobe > will get CAP_SYS_MODULE and all other caps, then after comes modprobe > and load_module(). Right, so defining the gains of adding this extra check is not very clear yet. It would seem a benefit exists, what is it? > Btw as suggested by Linus I will update with request_module_cap() and > I can > offer my help maintaining these bits too. Can you start by extending lib/test_module.c and tools/testing/selftests/kmod/kmod.sh with a proof of concept of the gains here, as well as ensuring things work as expected ? Luis