From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1426723AbdDVAMe (ORCPT ); Fri, 21 Apr 2017 20:12:34 -0400 Received: from mail-qk0-f193.google.com ([209.85.220.193]:35939 "EHLO mail-qk0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1424601AbdDVAMb (ORCPT ); Fri, 21 Apr 2017 20:12:31 -0400 MIME-Version: 1.0 In-Reply-To: References: <1492640420-27345-1-git-send-email-tixxdz@gmail.com> <1492640420-27345-3-git-send-email-tixxdz@gmail.com> From: Djalal Harouni Date: Sat, 22 Apr 2017 02:12:29 +0200 Message-ID: Subject: Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction To: Andy Lutomirski Cc: Kees Cook , Linux Kernel Mailing List , Andrew Morton , "Serge E. Hallyn" , "kernel-hardening@lists.openwall.com" , LSM List , Linux API , Dongsu Park , Casey Schaufler , James Morris , Paul Moore , Tetsuo Handa , Greg Kroah-Hartman , Jonathan Corbet , Jessica Yu , Rusty Russell , Arnaldo Carvalho de Melo , Mauro Carvalho Chehab , Ingo Molnar , belakhdar abdeldjalil , Peter Zijlstra Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Apr 22, 2017 at 1:51 AM, Andy Lutomirski wrote: [...] >>> I personally like my implicit_rights idea, and it might be interesting >>> to prototype it. >> >> I don't like blocking a needed feature behind a large super-feature >> that doesn't exist yet. We'd be able to refactor this code into using >> such a thing in the future, so I'd prefer to move ahead with this >> since it would stop actual exploits. > > I don't think the super-feature is so hard, and I think we should not > add the per-task thing the way it's done in this patch. Let's not add > per-task things where the best argument for their security is "not > sure how it would be exploited". Actually the XFRM framework CVE-2017-7184 [1] is one real example, of course there are others. The exploit was used on a generic distro during a security contest that distro is Ubuntu. That distro will never provide a module autoloading restriction by default to not harm it's users. Consumers or containers/sandboxes then can run their confined apps using such facilities. These bugs will stay in embedded devices that use these generic distros for ever. > Anyway, I think the sysctl is really the important bit. The per-task > setting is icing on the cake IMO. One upon a time autoload was more > important, but these days modaliases are supposed to do most of the > work. I bet that modern distros don't need unprivileged autoload at > all. Actually I think they do and we can't just change that. Users may depend on it, it is a well established facility. Now the other problem is CAP_NET_ADMIN which does lot of things, it is more like the CAP_SYS_ADMIN. This is a quick list that I got from only the past months, I'm pretty sure there are more: * DCCP use after free CVE-2017-6074 * n_hldc CVE-2017-2636 * XFRM framework CVE-2017-7184 * L2TPv3 CVE-2016-10200 Most of these need CAP_NET_ADMIN to be autoloaded, however we also need CAP_NET_ADMIN for other things... therefore it is better to have an extra facility that could coexist with CAP_NET_ADMIN and other sandbox features. [1] http://www.openwall.com/lists/oss-security/2017/03/29/2 -- tixxdz