Re: [Patch] kexec_load: check CAP_SYS_MODULE

[ebiederm@xmission.com (Eric W. Biederman)]

Eric Paris <eparis@parisplace.org> writes:

> On Thu, Jan 6, 2011 at 3:47 AM, Eric W. Biederman <ebiederm@xmission.com> wrote:
>> Amerigo Wang <amwang@redhat.com> writes:
>>
>>> Eric pointed out that kexec_load() actually allows you to
>>> run any code you want in ring0, this is more like CAP_SYS_MODULE.
>>
>> Let me get this straight you want to make the permission checks
>> less stringent by allowing either CAP_SYS_MODULE or CAP_SYS_BOOT?
>
> Nope, read my patch again.  It actually requires BOTH of them.

Ah right.  Testing the negative and going to -EPERM.

>> CAP_SYS_BOOT is the correct capability.  Sure you can run any
>> code but only after rebooting.  I don't see how this differs
>> from any other reboot scenario.
>
> The difference is that after a reboot the bootloader and the system
> control what code is run.  kexec_load() immediately runs the new
> kernel which is not controlled by the bootloader or by the system.
> Imagine a situation where the bootloader and the /boot directory are
> RO (enforced by hardware).   kexec_load() would let you run any kernel
> code you want on the box whereas reboot would not.

The scenario is imaginable (not common but imaginable) but I don't see
how requiring CAP_SYS_MODULE makes anything better.

If I was building a configuration where I didn't want anyone to be able
to direct the kernel into a different state by locking down the
bootloaders I expect I would compile out the syscall as well.

Most bootloaders have the option of booting something else the mechanism
is just different. I really don't see what the addition of
CAP_SYS_MODULE gains you.

Right now CAP_SYS_BOOT still makes sense to me and CAP_SYS_MODULE stills
seems like nonsense in this context.

Eric