From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750945AbdEEQTO (ORCPT ); Fri, 5 May 2017 12:19:14 -0400 Received: from mail.kernel.org ([198.145.29.136]:54592 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750727AbdEEQTM (ORCPT ); Fri, 5 May 2017 12:19:12 -0400 MIME-Version: 1.0 In-Reply-To: References: <1492640420-27345-1-git-send-email-tixxdz@gmail.com> <1492640420-27345-3-git-send-email-tixxdz@gmail.com> From: Andy Lutomirski Date: Fri, 5 May 2017 09:18:46 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction To: Djalal Harouni Cc: Kees Cook , Andy Lutomirski , Linux Kernel Mailing List , Andrew Morton , "Serge E. Hallyn" , "kernel-hardening@lists.openwall.com" , LSM List , Linux API , Dongsu Park , Casey Schaufler , James Morris , Paul Moore , Tetsuo Handa , Greg Kroah-Hartman , Jonathan Corbet , Jessica Yu , Rusty Russell , Arnaldo Carvalho de Melo , Mauro Carvalho Chehab , Ingo Molnar , belakhdar abdeldjalil , Peter Zijlstra , Linus Torvalds Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 4, 2017 at 6:07 AM, Djalal Harouni wrote: > On Sat, Apr 22, 2017 at 2:17 PM, Djalal Harouni wrote: >> On Sat, Apr 22, 2017 at 1:28 AM, Andy Lutomirski wrote: > [...] >>> >>> My point is that all of these need some way to handle configuration >>> and inheritance, and I don't think that a bunch of per-task prctls is >>> the right way. As just an example, saying that interactive users can >>> autoload modules but other users can't, or that certain systemd >>> services can, etc, might be nice. Linus already complained that he >>> (i.e. user "torvalds" or whatever) should be able to profile the >>> kernel but that other uids should not be able to. >> >> Neat, maybe this could already be achieved with this interface and >> systemd-logind, "ModulesAutoloadUsers=andy" in logind.conf where >> "andy" is the only logged-in user able to trigger and autoload kernel >> modules. However maybe we should not restrict too much other bits or >> functionality of the other users, please let me will follow up later >> on it. >> >>> I personally like my implicit_rights idea, and it might be interesting >>> to prototype it. >> > > Andy following on the idea of per user settings, I'm curious did you > manage to make some advance on how to store the user settings ? the > user database format is old and not extensible, there was cgmanager or > other libcgroup but for resources, and no simple thing for such > restrictions example: "RestrictLinuxModules=user" that will prevent > such users from making/loading extra Linux features/modules that are > not already available... > I figured that user code would figure it out somehow. Text config file? There is another odd way it could be configured: just leave the inodes around in /dev/rights with appropriate permissions. Some startup script could re-instantiate them with the same permissions (via a syscall that does that atomically). From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andy Lutomirski Subject: Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction Date: Fri, 5 May 2017 09:18:46 -0700 Message-ID: References: <1492640420-27345-1-git-send-email-tixxdz@gmail.com> <1492640420-27345-3-git-send-email-tixxdz@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Return-path: In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org To: Djalal Harouni Cc: Kees Cook , Andy Lutomirski , Linux Kernel Mailing List , Andrew Morton , "Serge E. Hallyn" , "kernel-hardening@lists.openwall.com" , LSM List , Linux API , Dongsu Park , Casey Schaufler , James Morris , Paul Moore , Tetsuo Handa , Greg Kroah-Hartman , Jonathan Corbet , Jessica Yu , Rusty Russell , Arnaldo Carvalho de Melo List-Id: linux-api@vger.kernel.org On Thu, May 4, 2017 at 6:07 AM, Djalal Harouni wrote: > On Sat, Apr 22, 2017 at 2:17 PM, Djalal Harouni wrote: >> On Sat, Apr 22, 2017 at 1:28 AM, Andy Lutomirski wrote: > [...] >>> >>> My point is that all of these need some way to handle configuration >>> and inheritance, and I don't think that a bunch of per-task prctls is >>> the right way. As just an example, saying that interactive users can >>> autoload modules but other users can't, or that certain systemd >>> services can, etc, might be nice. Linus already complained that he >>> (i.e. user "torvalds" or whatever) should be able to profile the >>> kernel but that other uids should not be able to. >> >> Neat, maybe this could already be achieved with this interface and >> systemd-logind, "ModulesAutoloadUsers=andy" in logind.conf where >> "andy" is the only logged-in user able to trigger and autoload kernel >> modules. However maybe we should not restrict too much other bits or >> functionality of the other users, please let me will follow up later >> on it. >> >>> I personally like my implicit_rights idea, and it might be interesting >>> to prototype it. >> > > Andy following on the idea of per user settings, I'm curious did you > manage to make some advance on how to store the user settings ? the > user database format is old and not extensible, there was cgmanager or > other libcgroup but for resources, and no simple thing for such > restrictions example: "RestrictLinuxModules=user" that will prevent > such users from making/loading extra Linux features/modules that are > not already available... > I figured that user code would figure it out somehow. Text config file? There is another odd way it could be configured: just leave the inodes around in /dev/rights with appropriate permissions. Some startup script could re-instantiate them with the same permissions (via a syscall that does that atomically). From mboxrd@z Thu Jan 1 00:00:00 1970 From: luto@kernel.org (Andy Lutomirski) Date: Fri, 5 May 2017 09:18:46 -0700 Subject: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction In-Reply-To: References: <1492640420-27345-1-git-send-email-tixxdz@gmail.com> <1492640420-27345-3-git-send-email-tixxdz@gmail.com> Message-ID: To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Thu, May 4, 2017 at 6:07 AM, Djalal Harouni wrote: > On Sat, Apr 22, 2017 at 2:17 PM, Djalal Harouni wrote: >> On Sat, Apr 22, 2017 at 1:28 AM, Andy Lutomirski wrote: > [...] >>> >>> My point is that all of these need some way to handle configuration >>> and inheritance, and I don't think that a bunch of per-task prctls is >>> the right way. As just an example, saying that interactive users can >>> autoload modules but other users can't, or that certain systemd >>> services can, etc, might be nice. Linus already complained that he >>> (i.e. user "torvalds" or whatever) should be able to profile the >>> kernel but that other uids should not be able to. >> >> Neat, maybe this could already be achieved with this interface and >> systemd-logind, "ModulesAutoloadUsers=andy" in logind.conf where >> "andy" is the only logged-in user able to trigger and autoload kernel >> modules. However maybe we should not restrict too much other bits or >> functionality of the other users, please let me will follow up later >> on it. >> >>> I personally like my implicit_rights idea, and it might be interesting >>> to prototype it. >> > > Andy following on the idea of per user settings, I'm curious did you > manage to make some advance on how to store the user settings ? the > user database format is old and not extensible, there was cgmanager or > other libcgroup but for resources, and no simple thing for such > restrictions example: "RestrictLinuxModules=user" that will prevent > such users from making/loading extra Linux features/modules that are > not already available... > I figured that user code would figure it out somehow. Text config file? There is another odd way it could be configured: just leave the inodes around in /dev/rights with appropriate permissions. Some startup script could re-instantiate them with the same permissions (via a syscall that does that atomically). -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: References: <1492640420-27345-1-git-send-email-tixxdz@gmail.com> <1492640420-27345-3-git-send-email-tixxdz@gmail.com> From: Andy Lutomirski Date: Fri, 5 May 2017 09:18:46 -0700 Message-ID: Content-Type: text/plain; charset=UTF-8 Subject: [kernel-hardening] Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction To: Djalal Harouni Cc: Kees Cook , Andy Lutomirski , Linux Kernel Mailing List , Andrew Morton , "Serge E. Hallyn" , "kernel-hardening@lists.openwall.com" , LSM List , Linux API , Dongsu Park , Casey Schaufler , James Morris , Paul Moore , Tetsuo Handa , Greg Kroah-Hartman , Jonathan Corbet , Jessica Yu , Rusty Russell , Arnaldo Carvalho de Melo , Mauro Carvalho Chehab , Ingo Molnar , belakhdar abdeldjalil , Peter Zijlstra , Linus Torvalds List-ID: On Thu, May 4, 2017 at 6:07 AM, Djalal Harouni wrote: > On Sat, Apr 22, 2017 at 2:17 PM, Djalal Harouni wrote: >> On Sat, Apr 22, 2017 at 1:28 AM, Andy Lutomirski wrote: > [...] >>> >>> My point is that all of these need some way to handle configuration >>> and inheritance, and I don't think that a bunch of per-task prctls is >>> the right way. As just an example, saying that interactive users can >>> autoload modules but other users can't, or that certain systemd >>> services can, etc, might be nice. Linus already complained that he >>> (i.e. user "torvalds" or whatever) should be able to profile the >>> kernel but that other uids should not be able to. >> >> Neat, maybe this could already be achieved with this interface and >> systemd-logind, "ModulesAutoloadUsers=andy" in logind.conf where >> "andy" is the only logged-in user able to trigger and autoload kernel >> modules. However maybe we should not restrict too much other bits or >> functionality of the other users, please let me will follow up later >> on it. >> >>> I personally like my implicit_rights idea, and it might be interesting >>> to prototype it. >> > > Andy following on the idea of per user settings, I'm curious did you > manage to make some advance on how to store the user settings ? the > user database format is old and not extensible, there was cgmanager or > other libcgroup but for resources, and no simple thing for such > restrictions example: "RestrictLinuxModules=user" that will prevent > such users from making/loading extra Linux features/modules that are > not already available... > I figured that user code would figure it out somehow. Text config file? There is another odd way it could be configured: just leave the inodes around in /dev/rights with appropriate permissions. Some startup script could re-instantiate them with the same permissions (via a syscall that does that atomically).