Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

Eric W. Biederman wrote: > If loading the conntrack module changes the semantics of packet > processing when nothing is configured that is a bug in the conntrack > module. Thats the default behaviour since forever. modprobe nf_conntrack_ipv4 -- module_init registers

Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

Eric W. Biederman wrote: > If loading the conntrack module changes the semantics of packet > processing when nothing is configured that is a bug in the conntrack > module. Thats the default behaviour since forever. modprobe nf_conntrack_ipv4 -- module_init registers netfilter hooks and starts

Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

"Mahesh Bandewar (महेश बंडेवार)" writes: > On Mon, May 15, 2017 at 6:52 AM, David Miller wrote: >> From: Greg Kroah-Hartman >> Date: Mon, 15 May 2017 08:10:59 +0200 >> >>> On Sun, May 14, 2017 at 08:57:34AM -0500, Eric W.

Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

"Mahesh Bandewar (महेश बंडेवार)" writes: > On Mon, May 15, 2017 at 6:52 AM, David Miller wrote: >> From: Greg Kroah-Hartman >> Date: Mon, 15 May 2017 08:10:59 +0200 >> >>> On Sun, May 14, 2017 at 08:57:34AM -0500, Eric W. Biederman wrote: Greg Kroah-Hartman writes: diff --git

Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

From: Mahesh Bandewar (महेश बंडेवार) Date: Mon, 15 May 2017 10:59:55 -0700 > The current behavior is already breaking things. e.g. unprivileged > process can be root inside it's own user-ns. This will allow it to > create IPtable rules causing contracking module to be loaded

Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

From: Mahesh Bandewar (महेश बंडेवार) Date: Mon, 15 May 2017 10:59:55 -0700 > The current behavior is already breaking things. e.g. unprivileged > process can be root inside it's own user-ns. This will allow it to > create IPtable rules causing contracking module to be loaded in > default-ns

Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

On Mon, May 15, 2017 at 6:52 AM, David Miller wrote: > From: Greg Kroah-Hartman > Date: Mon, 15 May 2017 08:10:59 +0200 > >> On Sun, May 14, 2017 at 08:57:34AM -0500, Eric W. Biederman wrote: >>> Greg Kroah-Hartman

Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

On Mon, May 15, 2017 at 6:52 AM, David Miller wrote: > From: Greg Kroah-Hartman > Date: Mon, 15 May 2017 08:10:59 +0200 > >> On Sun, May 14, 2017 at 08:57:34AM -0500, Eric W. Biederman wrote: >>> Greg Kroah-Hartman writes: >>> >>> diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c >>>

Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

On Mon, May 15, 2017 at 6:12 AM, Eric Dumazet wrote: > On Sun, May 14, 2017 at 7:42 PM, Mahesh Bandewar (महेश बंडेवार) > wrote: >> On Sun, May 14, 2017 at 3:45 AM, Greg Kroah-Hartman >> wrote: >>> On Fri, May 12, 2017 at

Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

On Mon, May 15, 2017 at 6:12 AM, Eric Dumazet wrote: > On Sun, May 14, 2017 at 7:42 PM, Mahesh Bandewar (महेश बंडेवार) > wrote: >> On Sun, May 14, 2017 at 3:45 AM, Greg Kroah-Hartman >> wrote: >>> On Fri, May 12, 2017 at 04:22:59PM -0700, Mahesh Bandewar wrote: From: Mahesh Bandewar

Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

From: Greg Kroah-Hartman Date: Mon, 15 May 2017 08:10:59 +0200 > On Sun, May 14, 2017 at 08:57:34AM -0500, Eric W. Biederman wrote: >> Greg Kroah-Hartman writes: >> >> diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c >> index

Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

From: Greg Kroah-Hartman Date: Mon, 15 May 2017 08:10:59 +0200 > On Sun, May 14, 2017 at 08:57:34AM -0500, Eric W. Biederman wrote: >> Greg Kroah-Hartman writes: >> >> diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c >> index bcb0f610ee42..6b72528a4636 100644 >> ---

Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

From: Mahesh Bandewar (महेश बंडेवार) Date: Sun, 14 May 2017 19:42:08 -0700 > Any module when loaded gets loaded system-wide as we can't allow > module loading per-ns. To validate the behavior I was comparing it > with insmod/modprobe, if that doesn't allow because of lack of

Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

From: Mahesh Bandewar (महेश बंडेवार) Date: Sun, 14 May 2017 19:42:08 -0700 > Any module when loaded gets loaded system-wide as we can't allow > module loading per-ns. To validate the behavior I was comparing it > with insmod/modprobe, if that doesn't allow because of lack of this > capability in

Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

On Sun, May 14, 2017 at 7:42 PM, Mahesh Bandewar (महेश बंडेवार) wrote: > On Sun, May 14, 2017 at 3:45 AM, Greg Kroah-Hartman > wrote: >> On Fri, May 12, 2017 at 04:22:59PM -0700, Mahesh Bandewar wrote: >>> From: Mahesh Bandewar

Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

On Sun, May 14, 2017 at 7:42 PM, Mahesh Bandewar (महेश बंडेवार) wrote: > On Sun, May 14, 2017 at 3:45 AM, Greg Kroah-Hartman > wrote: >> On Fri, May 12, 2017 at 04:22:59PM -0700, Mahesh Bandewar wrote: >>> From: Mahesh Bandewar >>> > [...] >>> Now try to create a bridge inside this newly

Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

On Sun, May 14, 2017 at 08:57:34AM -0500, Eric W. Biederman wrote: > Greg Kroah-Hartman writes: > > > On Fri, May 12, 2017 at 04:22:59PM -0700, Mahesh Bandewar wrote: > >> From: Mahesh Bandewar > >> > >> A process inside random user-ns should not

Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

On Sun, May 14, 2017 at 08:57:34AM -0500, Eric W. Biederman wrote: > Greg Kroah-Hartman writes: > > > On Fri, May 12, 2017 at 04:22:59PM -0700, Mahesh Bandewar wrote: > >> From: Mahesh Bandewar > >> > >> A process inside random user-ns should not load a module, which is > >> currently

Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

On Sun, May 14, 2017 at 07:42:08PM -0700, Mahesh Bandewar (महेश बंडेवार) wrote: > On Sun, May 14, 2017 at 3:45 AM, Greg Kroah-Hartman > wrote: > > On Fri, May 12, 2017 at 04:22:59PM -0700, Mahesh Bandewar wrote: > >> From: Mahesh Bandewar > >> >

Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

On Sun, May 14, 2017 at 07:42:08PM -0700, Mahesh Bandewar (महेश बंडेवार) wrote: > On Sun, May 14, 2017 at 3:45 AM, Greg Kroah-Hartman > wrote: > > On Fri, May 12, 2017 at 04:22:59PM -0700, Mahesh Bandewar wrote: > >> From: Mahesh Bandewar > >> > [...] > >> Now try to create a bridge inside

Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

On Sun, May 14, 2017 at 3:45 AM, Greg Kroah-Hartman wrote: > On Fri, May 12, 2017 at 04:22:59PM -0700, Mahesh Bandewar wrote: >> From: Mahesh Bandewar >> [...] >> Now try to create a bridge inside this newly created net-ns which would >> mean

Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

On Sun, May 14, 2017 at 3:45 AM, Greg Kroah-Hartman wrote: > On Fri, May 12, 2017 at 04:22:59PM -0700, Mahesh Bandewar wrote: >> From: Mahesh Bandewar >> [...] >> Now try to create a bridge inside this newly created net-ns which would >> mean bridge module need to be loaded. >> # ip link

Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

Greg Kroah-Hartman writes: > On Fri, May 12, 2017 at 04:22:59PM -0700, Mahesh Bandewar wrote: >> From: Mahesh Bandewar >> >> A process inside random user-ns should not load a module, which is >> currently possible. As demonstrated in following

Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

Greg Kroah-Hartman writes: > On Fri, May 12, 2017 at 04:22:59PM -0700, Mahesh Bandewar wrote: >> From: Mahesh Bandewar >> >> A process inside random user-ns should not load a module, which is >> currently possible. As demonstrated in following scenario - >> >> Create namespaces; especially

Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

On Fri, May 12, 2017 at 04:22:59PM -0700, Mahesh Bandewar wrote: > From: Mahesh Bandewar > > A process inside random user-ns should not load a module, which is > currently possible. As demonstrated in following scenario - > > Create namespaces; especially a user-ns and

Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

On Fri, May 12, 2017 at 04:22:59PM -0700, Mahesh Bandewar wrote: > From: Mahesh Bandewar > > A process inside random user-ns should not load a module, which is > currently possible. As demonstrated in following scenario - > > Create namespaces; especially a user-ns and become root inside. >

[PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

From: Mahesh Bandewar A process inside random user-ns should not load a module, which is currently possible. As demonstrated in following scenario - Create namespaces; especially a user-ns and become root inside. $ unshare -rfUp -- unshare -unm -- bash Try to load the

[PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

From: Mahesh Bandewar A process inside random user-ns should not load a module, which is currently possible. As demonstrated in following scenario - Create namespaces; especially a user-ns and become root inside. $ unshare -rfUp -- unshare -unm -- bash Try to load the bridge module. It