From: ebiederm@xmission.com (Eric W. Biederman)
To: Eric Paris <eparis@redhat.com>
Cc: Amerigo Wang <amwang@redhat.com>,
linux-kernel@vger.kernel.org, kexec@lists.infradead.org
Subject: Re: [Patch] kexec_load: check CAP_SYS_MODULE
Date: Fri, 07 Jan 2011 13:02:32 -0800 [thread overview]
Message-ID: <m18vywh1g7.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <1294432333.3237.107.camel@localhost.localdomain> (Eric Paris's message of "Fri, 07 Jan 2011 15:32:13 -0500")
Eric Paris <eparis@redhat.com> writes:
>> If I was building a configuration where I didn't want anyone to be able
>> to direct the kernel into a different state by locking down the
>> bootloaders I expect I would compile out the syscall as well.
>
> As sad as it may sound the vast majority of people don't build their own
> kernels. And even those people who have the intelligence to do it are
> often constrained by some non-technical policy to run 'approved'
> kernels.
Yes I am aware of the crazy game that is called approved kernels. Where
there are too many regressions for people to trust new kernel releases
but people want to change the kernel and the setup from what was tested
and still have the stamp of approval anyway. Financially it seems to
make people money, but as best I can tell that game is ultimately what
killed unix.
In this instance you seem to be redefining CAP_SYS_MODULE and
CAP_SYS_REBOOT so you can play that game.
> Maybe I didn't make it clear how this is going to be used. I plan to
> drop CAP_SYS_MODULE to stop root from loading their own modules and
> running their own code in the kernel. I can control reboot() since I
> control the platform and the bootloader. I cannot control kexec(). I'm
> also required to use a generic distro kernel (bet you can't guess which
> one)
If you are truly locked down I recommend dropping CAP_SYS_REBOOT and
setting up a watchdog that keeps the system from rebooting (standard
practice in embedded kinds of setups like you describe). That should
meet everyone requirements without needing to game the system.
> The only solution I see to solve the problem is to gate kexec on
> CAP_SYS_MODULE. Which makes sense since kexec() is in many respects
> close to module_init() than it is to reboot().
kexec_load is nothing like module_init(). All it does it puts data in
memory for use by a subsequent reboot. /sbin/kexec is a bootloader that
runs inside of linux. All you are noticing is that if you don't control
/sbin/kexec you aren't controlling the bootloader.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Eric Paris <eparis@redhat.com>
Cc: kexec@lists.infradead.org, Amerigo Wang <amwang@redhat.com>,
linux-kernel@vger.kernel.org
Subject: Re: [Patch] kexec_load: check CAP_SYS_MODULE
Date: Fri, 07 Jan 2011 13:02:32 -0800 [thread overview]
Message-ID: <m18vywh1g7.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <1294432333.3237.107.camel@localhost.localdomain> (Eric Paris's message of "Fri, 07 Jan 2011 15:32:13 -0500")
Eric Paris <eparis@redhat.com> writes:
>> If I was building a configuration where I didn't want anyone to be able
>> to direct the kernel into a different state by locking down the
>> bootloaders I expect I would compile out the syscall as well.
>
> As sad as it may sound the vast majority of people don't build their own
> kernels. And even those people who have the intelligence to do it are
> often constrained by some non-technical policy to run 'approved'
> kernels.
Yes I am aware of the crazy game that is called approved kernels. Where
there are too many regressions for people to trust new kernel releases
but people want to change the kernel and the setup from what was tested
and still have the stamp of approval anyway. Financially it seems to
make people money, but as best I can tell that game is ultimately what
killed unix.
In this instance you seem to be redefining CAP_SYS_MODULE and
CAP_SYS_REBOOT so you can play that game.
> Maybe I didn't make it clear how this is going to be used. I plan to
> drop CAP_SYS_MODULE to stop root from loading their own modules and
> running their own code in the kernel. I can control reboot() since I
> control the platform and the bootloader. I cannot control kexec(). I'm
> also required to use a generic distro kernel (bet you can't guess which
> one)
If you are truly locked down I recommend dropping CAP_SYS_REBOOT and
setting up a watchdog that keeps the system from rebooting (standard
practice in embedded kinds of setups like you describe). That should
meet everyone requirements without needing to game the system.
> The only solution I see to solve the problem is to gate kexec on
> CAP_SYS_MODULE. Which makes sense since kexec() is in many respects
> close to module_init() than it is to reboot().
kexec_load is nothing like module_init(). All it does it puts data in
memory for use by a subsequent reboot. /sbin/kexec is a bootloader that
runs inside of linux. All you are noticing is that if you don't control
/sbin/kexec you aren't controlling the bootloader.
Eric
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2011-01-07 21:02 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-06 8:25 [Patch] kexec_load: check CAP_SYS_MODULE Amerigo Wang
2011-01-06 8:25 ` Amerigo Wang
2011-01-06 8:27 ` Cong Wang
2011-01-06 8:27 ` Cong Wang
2011-01-06 8:47 ` Eric W. Biederman
2011-01-06 8:47 ` Eric W. Biederman
2011-01-06 19:02 ` Eric Paris
2011-01-06 19:02 ` Eric Paris
2011-01-07 20:10 ` Eric W. Biederman
2011-01-07 20:10 ` Eric W. Biederman
2011-01-07 20:32 ` Eric Paris
2011-01-07 20:32 ` Eric Paris
2011-01-07 21:02 ` Eric W. Biederman [this message]
2011-01-07 21:02 ` Eric W. Biederman
2011-01-08 0:39 ` Eric Paris
2011-01-08 0:39 ` Eric Paris
2011-01-09 2:09 ` Eric W. Biederman
2011-01-09 2:09 ` Eric W. Biederman
2011-01-11 11:26 ` Cong Wang
2011-01-11 11:26 ` Cong Wang
2011-01-14 19:47 ` Eric Paris
2011-01-14 19:47 ` Eric Paris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m18vywh1g7.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=amwang@redhat.com \
--cc=eparis@redhat.com \
--cc=kexec@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.