Re: [PATCH 05/10] asus-wmi: Restrict debugfs interface when module loading is restricted

On Thu, 2013-08-29 at 11:22 -0700, H. Peter Anvin wrote: On 08/19/2013 09:10 AM, Matthew Garrett wrote: + if (!capable(CAP_COMPROMISE_KERNEL)) + return -EPERM; + Stale bits? Yeah. Did I manage to send out the old copy of that again? I'm sorry, spending a few months

Re: [PATCH 05/10] asus-wmi: Restrict debugfs interface when module loading is restricted

On 08/29/2013 11:35 AM, Matthew Garrett wrote: On Thu, 2013-08-29 at 11:22 -0700, H. Peter Anvin wrote: On 08/19/2013 09:10 AM, Matthew Garrett wrote: + if (!capable(CAP_COMPROMISE_KERNEL)) + return -EPERM; + Stale bits? Yeah. Did I manage to send out the old copy of that

Re: [PATCH 05/10] asus-wmi: Restrict debugfs interface when module loading is restricted

On Thu, 2013-08-29 at 11:46 -0700, H. Peter Anvin wrote: On 08/29/2013 11:35 AM, Matthew Garrett wrote: On Thu, 2013-08-29 at 11:22 -0700, H. Peter Anvin wrote: On 08/19/2013 09:10 AM, Matthew Garrett wrote: + if (!capable(CAP_COMPROMISE_KERNEL)) + return -EPERM; + Stale

Re: [PATCH 05/10] asus-wmi: Restrict debugfs interface when module loading is restricted

On 08/29/2013 11:49 AM, Matthew Garrett wrote: No, you mixed and matched in a single patch... Right, but I'd fixed that in V2 (which I see I *did* send correctly, and you're just replying to the old one :)) Well, I'm responding to the one that was sent 31 minutes ago. -hpa --

Re: [PATCH 05/10] asus-wmi: Restrict debugfs interface when module loading is restricted

On Thu, 2013-08-29 at 12:05 -0700, H. Peter Anvin wrote: On 08/29/2013 11:49 AM, Matthew Garrett wrote: No, you mixed and matched in a single patch... Right, but I'd fixed that in V2 (which I see I *did* send correctly, and you're just replying to the old one :)) Well, I'm

Re: [PATCH 05/10] asus-wmi: Restrict debugfs interface when module loading is restricted

On Thu, Aug 29, 2013 at 12:05:47PM -0700, H. Peter Anvin wrote: On 08/29/2013 11:49 AM, Matthew Garrett wrote: No, you mixed and matched in a single patch... Right, but I'd fixed that in V2 (which I see I *did* send correctly, and you're just replying to the old one :)) Well, I'm

[PATCH 05/10] asus-wmi: Restrict debugfs interface when module loading is restricted

We have no way of validating what all of the Asus WMI methods do on a given machine, and there's a risk that some will allow hardware state to be manipulated in such a way that arbitrary code can be executed in the kernel, circumventing module loading restrictions. Prevent that if any of these

Re: [PATCH 05/10] asus-wmi: Restrict debugfs interface when module loading is restricted

On Mon, Aug 19, 2013 at 9:10 AM, Matthew Garrett matthew.garr...@nebula.com wrote: We have no way of validating what all of the Asus WMI methods do on a given machine, and there's a risk that some will allow hardware state to be manipulated in such a way that arbitrary code can be executed in

Re: [PATCH 05/10] asus-wmi: Restrict debugfs interface when module loading is restricted

On Mon, 2013-08-19 at 09:20 -0700, Kees Cook wrote: Looks like this and the next chunk weren't changed to the secure_modules() API... Bother. Yeah, looks like my test config had this left out. -- Matthew Garrett matthew.garr...@nebula.com