From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1762859AbdEVXIC (ORCPT ); Mon, 22 May 2017 19:08:02 -0400 Received: from mail-it0-f44.google.com ([209.85.214.44]:35022 "EHLO mail-it0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757989AbdEVXH6 (ORCPT ); Mon, 22 May 2017 19:07:58 -0400 MIME-Version: 1.0 In-Reply-To: References: <1495454226-10027-1-git-send-email-tixxdz@gmail.com> <20170522120848.GA3003@openwall.com> <20170522164323.GA2048@openwall.com> From: Kees Cook Date: Mon, 22 May 2017 16:07:56 -0700 X-Google-Sender-Auth: fnXISh_Du2MsvEZ4m7OG436g1Po Message-ID: Subject: Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions To: Djalal Harouni Cc: Solar Designer , linux-kernel , Network Development , LSM List , "kernel-hardening@lists.openwall.com" , Andy Lutomirski , Andrew Morton , Rusty Russell , "Serge E. Hallyn" , Jessica Yu , "David S. Miller" , James Morris , Paul Moore , Stephen Smalley , Greg Kroah-Hartman , Tetsuo Handa , Ingo Molnar , Linux API , Dongsu Park , Casey Schaufler , Jonathan Corbet , Arnaldo Carvalho de Melo , Mauro Carvalho Chehab , Peter Zijlstra , Zendyani , "open list:DOCUMENTATION" , Al Viro , Ben Hutchings Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 22, 2017 at 12:55 PM, Djalal Harouni wrote: > On Mon, May 22, 2017 at 6:43 PM, Solar Designer wrote: >> On Mon, May 22, 2017 at 03:49:15PM +0200, Djalal Harouni wrote: >>> On Mon, May 22, 2017 at 2:08 PM, Solar Designer wrote: >>> > On Mon, May 22, 2017 at 01:57:03PM +0200, Djalal Harouni wrote: >>> >> *) When modules_autoload_mode is set to (2), automatic module loading is >>> >> disabled for all. Once set, this value can not be changed. >>> > >>> > What purpose does this securelevel-like property ("Once set, this value >>> > can not be changed.") serve here? I think this mode 2 is needed, but >>> > without this extra property, which is bypassable by e.g. explicitly >>> > loaded kernel modules anyway (and that's OK). >>> >>> My reasoning about "Once set, this value can not be changed" is mainly for: >>> >>> If you have some systems where modules are not updated for any given >>> reason, then the only one who will be able to load a module is an >>> administrator, basically this is a shortcut for: >>> >>> * Apps/services can run with CAP_NET_ADMIN but they are not allowed to >>> auto-load 'netdev' modules. >>> >>> * Explicitly loading modules can be guarded by seccomp filters *per* >>> app, so even if these apps have >>> CAP_SYS_MODULE they won't be able to explicitly load modules, one >>> has to remount some sysctl /proc/ entries read-only here and remove >>> CAP_SYS_ADMIN for all apps anyway. >>> >>> This mainly serves the purpose of these systems that do not receive >>> updates, if I don't want to expose those kernel interfaces what should >>> I do ? then if I want to unload old versions and replace them with new >>> ones what operation should be allowed ? and only real root of the >>> system can do it. Hence, the "Once set, this value can not be changed" >>> is more of a shortcut, also the idea was put in my mind based on how >>> "modules_disabled" is disabled forever, and some other interfaces. I >>> would say: it is easy to handle a transition from 1) "hey this system >>> is still up to date, some features should be exposed" to 2) "this >>> system is not up to date anymore, only root should expose some >>> features..." >>> >>> Hmm, I am not sure if this answers your question ? :-) >> >> This answers my question, but in a way that I summarize as "there's no >> good reason to include this securelevel-like property". >> > > Hmm, sorry I did forget to add in my previous comment that with such > systems, CAP_SYS_MODULE can be used to reset the > "modules_autoload_mode" sysctl back from mode 2 to mode 1, even if we > disable it privileged tasks can be triggered to overwrite the sysctl > flag and get it back unless /proc is read-only... that's one of the > points, it should not be so easy to relax it. I'm on the fence. For modules_disabled and Yama, it was tied to CAP_SYS_ADMIN, basically designed to be a at-boot setting that could not later be undone by an attacker gaining that privilege, keeping them out of either kernel memory or existing user process memory. Here, it's CAP_SYS_MODULE... it's hard to imagine the situation where a CAP_SYS_MODULE-capable process could write to this sysctl but NOT issue direct modprobe requests, but it's _possible_ via crazy symlink games to trick capable processes into writing to sysctls. We've seen this multiple times before, and it's a way for attackers to turn a single privileged write into a privileged exec. I might turn the question around, though: why would we want to have it changeable at this setting? I'm fine leaving that piece off, either way. -Kees -- Kees Cook Pixel Security