From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755458Ab1AGUKx (ORCPT ); Fri, 7 Jan 2011 15:10:53 -0500 Received: from out02.mta.xmission.com ([166.70.13.232]:39266 "EHLO out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752552Ab1AGUKw convert rfc822-to-8bit (ORCPT ); Fri, 7 Jan 2011 15:10:52 -0500 From: ebiederm@xmission.com (Eric W. Biederman) To: Eric Paris Cc: Amerigo Wang , linux-kernel@vger.kernel.org, kexec@lists.infradead.org, eparis@redhat.com References: <1294302325-22593-1-git-send-email-amwang@redhat.com> Date: Fri, 07 Jan 2011 12:10:44 -0800 In-Reply-To: (Eric Paris's message of "Thu, 6 Jan 2011 14:02:47 -0500") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT X-XM-SPF: eid=;;;mid=;;;hst=in02.mta.xmission.com;;;ip=98.207.157.188;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX19H4/ZA2IExXPvxXw7t4DuwoZOzDDSRhMo= X-SA-Exim-Connect-IP: 98.207.157.188 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 T_TM2_M_HEADER_IN_MSG BODY: T_TM2_M_HEADER_IN_MSG * -3.0 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa01 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_XMDrugObfuBody_08 obfuscated drug references * 0.4 UNTRUSTED_Relay Comes from a non-trusted relay X-Spam-DCC: XMission; sa01 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;Eric Paris X-Spam-Relay-Country: Subject: Re: [Patch] kexec_load: check CAP_SYS_MODULE X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Fri, 06 Aug 2010 16:31:04 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Eric Paris writes: > On Thu, Jan 6, 2011 at 3:47 AM, Eric W. Biederman wrote: >> Amerigo Wang writes: >> >>> Eric pointed out that kexec_load() actually allows you to >>> run any code you want in ring0, this is more like CAP_SYS_MODULE. >> >> Let me get this straight you want to make the permission checks >> less stringent by allowing either CAP_SYS_MODULE or CAP_SYS_BOOT? > > Nope, read my patch again. It actually requires BOTH of them. Ah right. Testing the negative and going to -EPERM. >> CAP_SYS_BOOT is the correct capability.  Sure you can run any >> code but only after rebooting.  I don't see how this differs >> from any other reboot scenario. > > The difference is that after a reboot the bootloader and the system > control what code is run. kexec_load() immediately runs the new > kernel which is not controlled by the bootloader or by the system. > Imagine a situation where the bootloader and the /boot directory are > RO (enforced by hardware). kexec_load() would let you run any kernel > code you want on the box whereas reboot would not. The scenario is imaginable (not common but imaginable) but I don't see how requiring CAP_SYS_MODULE makes anything better. If I was building a configuration where I didn't want anyone to be able to direct the kernel into a different state by locking down the bootloaders I expect I would compile out the syscall as well. Most bootloaders have the option of booting something else the mechanism is just different. I really don't see what the addition of CAP_SYS_MODULE gains you. Right now CAP_SYS_BOOT still makes sense to me and CAP_SYS_MODULE stills seems like nonsense in this context. Eric From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from out02.mta.xmission.com ([166.70.13.232]) by canuck.infradead.org with esmtp (Exim 4.72 #1 (Red Hat Linux)) id 1PbIeO-0007KF-6w for kexec@lists.infradead.org; Fri, 07 Jan 2011 20:11:05 +0000 From: ebiederm@xmission.com (Eric W. Biederman) References: <1294302325-22593-1-git-send-email-amwang@redhat.com> Date: Fri, 07 Jan 2011 12:10:44 -0800 In-Reply-To: (Eric Paris's message of "Thu, 6 Jan 2011 14:02:47 -0500") Message-ID: MIME-Version: 1.0 Subject: Re: [Patch] kexec_load: check CAP_SYS_MODULE List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: kexec-bounces@lists.infradead.org Errors-To: kexec-bounces+dwmw2=infradead.org@lists.infradead.org To: Eric Paris Cc: kexec@lists.infradead.org, Amerigo Wang , eparis@redhat.com, linux-kernel@vger.kernel.org RXJpYyBQYXJpcyA8ZXBhcmlzQHBhcmlzcGxhY2Uub3JnPiB3cml0ZXM6Cgo+IE9uIFRodSwgSmFu IDYsIDIwMTEgYXQgMzo0NyBBTSwgRXJpYyBXLiBCaWVkZXJtYW4gPGViaWVkZXJtQHhtaXNzaW9u LmNvbT4gd3JvdGU6Cj4+IEFtZXJpZ28gV2FuZyA8YW13YW5nQHJlZGhhdC5jb20+IHdyaXRlczoK Pj4KPj4+IEVyaWMgcG9pbnRlZCBvdXQgdGhhdCBrZXhlY19sb2FkKCkgYWN0dWFsbHkgYWxsb3dz IHlvdSB0bwo+Pj4gcnVuIGFueSBjb2RlIHlvdSB3YW50IGluIHJpbmcwLCB0aGlzIGlzIG1vcmUg bGlrZSBDQVBfU1lTX01PRFVMRS4KPj4KPj4gTGV0IG1lIGdldCB0aGlzIHN0cmFpZ2h0IHlvdSB3 YW50IHRvIG1ha2UgdGhlIHBlcm1pc3Npb24gY2hlY2tzCj4+IGxlc3Mgc3RyaW5nZW50IGJ5IGFs bG93aW5nIGVpdGhlciBDQVBfU1lTX01PRFVMRSBvciBDQVBfU1lTX0JPT1Q/Cj4KPiBOb3BlLCBy ZWFkIG15IHBhdGNoIGFnYWluLiAgSXQgYWN0dWFsbHkgcmVxdWlyZXMgQk9USCBvZiB0aGVtLgoK QWggcmlnaHQuICBUZXN0aW5nIHRoZSBuZWdhdGl2ZSBhbmQgZ29pbmcgdG8gLUVQRVJNLgoKPj4g Q0FQX1NZU19CT09UIGlzIHRoZSBjb3JyZWN0IGNhcGFiaWxpdHkuIMKgU3VyZSB5b3UgY2FuIHJ1 biBhbnkKPj4gY29kZSBidXQgb25seSBhZnRlciByZWJvb3RpbmcuIMKgSSBkb24ndCBzZWUgaG93 IHRoaXMgZGlmZmVycwo+PiBmcm9tIGFueSBvdGhlciByZWJvb3Qgc2NlbmFyaW8uCj4KPiBUaGUg ZGlmZmVyZW5jZSBpcyB0aGF0IGFmdGVyIGEgcmVib290IHRoZSBib290bG9hZGVyIGFuZCB0aGUg c3lzdGVtCj4gY29udHJvbCB3aGF0IGNvZGUgaXMgcnVuLiAga2V4ZWNfbG9hZCgpIGltbWVkaWF0 ZWx5IHJ1bnMgdGhlIG5ldwo+IGtlcm5lbCB3aGljaCBpcyBub3QgY29udHJvbGxlZCBieSB0aGUg Ym9vdGxvYWRlciBvciBieSB0aGUgc3lzdGVtLgo+IEltYWdpbmUgYSBzaXR1YXRpb24gd2hlcmUg dGhlIGJvb3Rsb2FkZXIgYW5kIHRoZSAvYm9vdCBkaXJlY3RvcnkgYXJlCj4gUk8gKGVuZm9yY2Vk IGJ5IGhhcmR3YXJlKS4gICBrZXhlY19sb2FkKCkgd291bGQgbGV0IHlvdSBydW4gYW55IGtlcm5l bAo+IGNvZGUgeW91IHdhbnQgb24gdGhlIGJveCB3aGVyZWFzIHJlYm9vdCB3b3VsZCBub3QuCgpU aGUgc2NlbmFyaW8gaXMgaW1hZ2luYWJsZSAobm90IGNvbW1vbiBidXQgaW1hZ2luYWJsZSkgYnV0 IEkgZG9uJ3Qgc2VlCmhvdyByZXF1aXJpbmcgQ0FQX1NZU19NT0RVTEUgbWFrZXMgYW55dGhpbmcg YmV0dGVyLgoKSWYgSSB3YXMgYnVpbGRpbmcgYSBjb25maWd1cmF0aW9uIHdoZXJlIEkgZGlkbid0 IHdhbnQgYW55b25lIHRvIGJlIGFibGUKdG8gZGlyZWN0IHRoZSBrZXJuZWwgaW50byBhIGRpZmZl cmVudCBzdGF0ZSBieSBsb2NraW5nIGRvd24gdGhlCmJvb3Rsb2FkZXJzIEkgZXhwZWN0IEkgd291 bGQgY29tcGlsZSBvdXQgdGhlIHN5c2NhbGwgYXMgd2VsbC4KCk1vc3QgYm9vdGxvYWRlcnMgaGF2 ZSB0aGUgb3B0aW9uIG9mIGJvb3Rpbmcgc29tZXRoaW5nIGVsc2UgdGhlIG1lY2hhbmlzbQppcyBq dXN0IGRpZmZlcmVudC4gSSByZWFsbHkgZG9uJ3Qgc2VlIHdoYXQgdGhlIGFkZGl0aW9uIG9mCkNB UF9TWVNfTU9EVUxFIGdhaW5zIHlvdS4KClJpZ2h0IG5vdyBDQVBfU1lTX0JPT1Qgc3RpbGwgbWFr ZXMgc2Vuc2UgdG8gbWUgYW5kIENBUF9TWVNfTU9EVUxFIHN0aWxscwpzZWVtcyBsaWtlIG5vbnNl bnNlIGluIHRoaXMgY29udGV4dC4KCkVyaWMKCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fCmtleGVjIG1haWxpbmcgbGlzdAprZXhlY0BsaXN0cy5pbmZyYWRl YWQub3JnCmh0dHA6Ly9saXN0cy5pbmZyYWRlYWQub3JnL21haWxtYW4vbGlzdGluZm8va2V4ZWMK