From: ebiederm@xmission.com (Eric W. Biederman)
To: Eric Paris <eparis@redhat.com>
Cc: Amerigo Wang <amwang@redhat.com>,
linux-kernel@vger.kernel.org, kexec@lists.infradead.org
Subject: Re: [Patch] kexec_load: check CAP_SYS_MODULE
Date: Sat, 08 Jan 2011 18:09:17 -0800 [thread overview]
Message-ID: <m1k4ieesky.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <1294447189.3237.132.camel@localhost.localdomain> (Eric Paris's message of "Fri, 07 Jan 2011 19:39:49 -0500")
Eric Paris <eparis@redhat.com> writes:
> On Fri, 2011-01-07 at 13:02 -0800, Eric W. Biederman wrote:
>> Eric Paris <eparis@redhat.com> writes:
>
>> Yes I am aware of the crazy game that is called approved kernels. Where
>> there are too many regressions for people to trust new kernel releases
>> but people want to change the kernel and the setup from what was tested
>> and still have the stamp of approval anyway. Financially it seems to
>> make people money, but as best I can tell that game is ultimately what
>> killed unix.
>
> I don't believe this is a particularly relevant line of conversion and
> should probably drop it, but I can't completely leave it alone. We
> obviously have a very different understanding of what concerning the
> unix wars brought about its death. I'd think it obvious that the very
> fact that this conversation is taking place shows that the exact
> opposite of the unix wars problems are being seen here. You clearly
> have personal opinions about the benefits of custom built kernels, but
> they are not the opinions of the vast majority of linux users. I rarely
> run disto kernels and I'm sure few on lkml do, but it doesn't change the
> fact that most users, especially large IT environments, require system
> standardization. I hope to address the needs of this portion of the
> linux community even if you might wish they functioned differently.
Sure and if you have a good clear architecture not an adhoc set of goals
getting it into the standard kernel makes sense.
Trying to shoe horn everyone crazy ideas into the standard kernel before
they are well thought out is a bad idea.
What I am most sensitive to about distro kernels is the massive
stagnation that happens (it gets extremely silly to run a kernel that is
several years old on bleeding edge hardware) as well as the crazy hacks
that I see people asking for because they must use a distro kernel for
random reasons.
>> In this instance you seem to be redefining CAP_SYS_MODULE and
>> CAP_SYS_REBOOT so you can play that game.
>
> Clearly I am refining the meaning of both in some way. Personally I
> think the current differentiation is wrong.
To some extent I agree. The old check for being uid == 0 is the only
real check that makes much sense.
>> > Maybe I didn't make it clear how this is going to be used. I plan to
>> > drop CAP_SYS_MODULE to stop root from loading their own modules and
>> > running their own code in the kernel. I can control reboot() since I
>> > control the platform and the bootloader. I cannot control kexec(). I'm
>> > also required to use a generic distro kernel (bet you can't guess which
>> > one)
>>
>> If you are truly locked down I recommend dropping CAP_SYS_REBOOT and
>> setting up a watchdog that keeps the system from rebooting (standard
>> practice in embedded kinds of setups like you describe). That should
>> meet everyone requirements without needing to game the system.
>
> This does not meet the set of requirements. I recognize that you don't
> have the full architecture in mind (and apologize that I can't describe
> it much better than I am already), but root should still be allowed to
> reboot the machine. This is not an embedded platform. Nor one in which
> a watchdog task makes any sense at all.
What you are asking for if I understand this correctly is a way to
disable sys_kexec_load?
What strange things are you trying to accomplish on top of a
distribution kernel?
>> > The only solution I see to solve the problem is to gate kexec on
>> > CAP_SYS_MODULE. Which makes sense since kexec() is in many respects
>> > close to module_init() than it is to reboot().
>>
>> kexec_load is nothing like module_init(). All it does it puts data in
>> memory for use by a subsequent reboot. /sbin/kexec is a bootloader that
>> runs inside of linux. All you are noticing is that if you don't control
>> /sbin/kexec you aren't controlling the bootloader.
>
> Does that mean you would instead prefer that we check CAP_SYS_MODULE in
> sys_reboot() when LINUX_REBOOT_CMD_KEXEC is set (or really
> kernel_kexec())? It seems to me you indicate that is the more analogous
> location since it is the actual place where we load new kernel code on
> the running system (aka what sys_module was intended to protect)?
We aren't dealing with modules I think CAP_SYS_MODULE is totally
irrelevant in the context of kexec.
I think to accomplish what you want we either need a way to disable
sys_kexec_load or possibly a new very targeted capability bit.
You are making it so that giving someone CAP_SYS_MODULE is giving more
than the ability to load kernel modules. Which seems non-intuitive from
a system management point of view.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Eric Paris <eparis@redhat.com>
Cc: kexec@lists.infradead.org, Amerigo Wang <amwang@redhat.com>,
linux-kernel@vger.kernel.org
Subject: Re: [Patch] kexec_load: check CAP_SYS_MODULE
Date: Sat, 08 Jan 2011 18:09:17 -0800 [thread overview]
Message-ID: <m1k4ieesky.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <1294447189.3237.132.camel@localhost.localdomain> (Eric Paris's message of "Fri, 07 Jan 2011 19:39:49 -0500")
Eric Paris <eparis@redhat.com> writes:
> On Fri, 2011-01-07 at 13:02 -0800, Eric W. Biederman wrote:
>> Eric Paris <eparis@redhat.com> writes:
>
>> Yes I am aware of the crazy game that is called approved kernels. Where
>> there are too many regressions for people to trust new kernel releases
>> but people want to change the kernel and the setup from what was tested
>> and still have the stamp of approval anyway. Financially it seems to
>> make people money, but as best I can tell that game is ultimately what
>> killed unix.
>
> I don't believe this is a particularly relevant line of conversion and
> should probably drop it, but I can't completely leave it alone. We
> obviously have a very different understanding of what concerning the
> unix wars brought about its death. I'd think it obvious that the very
> fact that this conversation is taking place shows that the exact
> opposite of the unix wars problems are being seen here. You clearly
> have personal opinions about the benefits of custom built kernels, but
> they are not the opinions of the vast majority of linux users. I rarely
> run disto kernels and I'm sure few on lkml do, but it doesn't change the
> fact that most users, especially large IT environments, require system
> standardization. I hope to address the needs of this portion of the
> linux community even if you might wish they functioned differently.
Sure and if you have a good clear architecture not an adhoc set of goals
getting it into the standard kernel makes sense.
Trying to shoe horn everyone crazy ideas into the standard kernel before
they are well thought out is a bad idea.
What I am most sensitive to about distro kernels is the massive
stagnation that happens (it gets extremely silly to run a kernel that is
several years old on bleeding edge hardware) as well as the crazy hacks
that I see people asking for because they must use a distro kernel for
random reasons.
>> In this instance you seem to be redefining CAP_SYS_MODULE and
>> CAP_SYS_REBOOT so you can play that game.
>
> Clearly I am refining the meaning of both in some way. Personally I
> think the current differentiation is wrong.
To some extent I agree. The old check for being uid == 0 is the only
real check that makes much sense.
>> > Maybe I didn't make it clear how this is going to be used. I plan to
>> > drop CAP_SYS_MODULE to stop root from loading their own modules and
>> > running their own code in the kernel. I can control reboot() since I
>> > control the platform and the bootloader. I cannot control kexec(). I'm
>> > also required to use a generic distro kernel (bet you can't guess which
>> > one)
>>
>> If you are truly locked down I recommend dropping CAP_SYS_REBOOT and
>> setting up a watchdog that keeps the system from rebooting (standard
>> practice in embedded kinds of setups like you describe). That should
>> meet everyone requirements without needing to game the system.
>
> This does not meet the set of requirements. I recognize that you don't
> have the full architecture in mind (and apologize that I can't describe
> it much better than I am already), but root should still be allowed to
> reboot the machine. This is not an embedded platform. Nor one in which
> a watchdog task makes any sense at all.
What you are asking for if I understand this correctly is a way to
disable sys_kexec_load?
What strange things are you trying to accomplish on top of a
distribution kernel?
>> > The only solution I see to solve the problem is to gate kexec on
>> > CAP_SYS_MODULE. Which makes sense since kexec() is in many respects
>> > close to module_init() than it is to reboot().
>>
>> kexec_load is nothing like module_init(). All it does it puts data in
>> memory for use by a subsequent reboot. /sbin/kexec is a bootloader that
>> runs inside of linux. All you are noticing is that if you don't control
>> /sbin/kexec you aren't controlling the bootloader.
>
> Does that mean you would instead prefer that we check CAP_SYS_MODULE in
> sys_reboot() when LINUX_REBOOT_CMD_KEXEC is set (or really
> kernel_kexec())? It seems to me you indicate that is the more analogous
> location since it is the actual place where we load new kernel code on
> the running system (aka what sys_module was intended to protect)?
We aren't dealing with modules I think CAP_SYS_MODULE is totally
irrelevant in the context of kexec.
I think to accomplish what you want we either need a way to disable
sys_kexec_load or possibly a new very targeted capability bit.
You are making it so that giving someone CAP_SYS_MODULE is giving more
than the ability to load kernel modules. Which seems non-intuitive from
a system management point of view.
Eric
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2011-01-09 2:09 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-06 8:25 [Patch] kexec_load: check CAP_SYS_MODULE Amerigo Wang
2011-01-06 8:25 ` Amerigo Wang
2011-01-06 8:27 ` Cong Wang
2011-01-06 8:27 ` Cong Wang
2011-01-06 8:47 ` Eric W. Biederman
2011-01-06 8:47 ` Eric W. Biederman
2011-01-06 19:02 ` Eric Paris
2011-01-06 19:02 ` Eric Paris
2011-01-07 20:10 ` Eric W. Biederman
2011-01-07 20:10 ` Eric W. Biederman
2011-01-07 20:32 ` Eric Paris
2011-01-07 20:32 ` Eric Paris
2011-01-07 21:02 ` Eric W. Biederman
2011-01-07 21:02 ` Eric W. Biederman
2011-01-08 0:39 ` Eric Paris
2011-01-08 0:39 ` Eric Paris
2011-01-09 2:09 ` Eric W. Biederman [this message]
2011-01-09 2:09 ` Eric W. Biederman
2011-01-11 11:26 ` Cong Wang
2011-01-11 11:26 ` Cong Wang
2011-01-14 19:47 ` Eric Paris
2011-01-14 19:47 ` Eric Paris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m1k4ieesky.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=amwang@redhat.com \
--cc=eparis@redhat.com \
--cc=kexec@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.