Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument

Hi Kees, On Thu, Jun 1, 2017 at 9:10 PM, Kees Cook wrote: > On Thu, Jun 1, 2017 at 7:56 AM, Djalal Harouni wrote: ... > >> BTW Kees, also in next version I won't remove the >> capable(CAP_NET_ADMIN) check from [1] >> even if there is the new

Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument

Hi Kees, On Thu, Jun 1, 2017 at 9:10 PM, Kees Cook wrote: > On Thu, Jun 1, 2017 at 7:56 AM, Djalal Harouni wrote: ... > >> BTW Kees, also in next version I won't remove the >> capable(CAP_NET_ADMIN) check from [1] >> even if there is the new request_module_cap(), I would like it to be >> in a

Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument

On Thu, Jun 1, 2017 at 7:56 AM, Djalal Harouni wrote: > module_require_cap = 0; > > if (autoload == MODULES_AUTOLOAD_DISABLED) > return -EPERM; > > if (autoload == MODULES_AUTOLOAD_PRIVILEGED || require_cap > 0) { > if

Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument

On Thu, Jun 1, 2017 at 7:56 AM, Djalal Harouni wrote: > module_require_cap = 0; > > if (autoload == MODULES_AUTOLOAD_DISABLED) > return -EPERM; > > if (autoload == MODULES_AUTOLOAD_PRIVILEGED || require_cap > 0) { > if (prefix != NULL &&

Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument

On Tue, May 30, 2017 at 7:59 PM, Kees Cook wrote: [...] >>> I see a few options: >>> >>> 1) keep what you have for v4, and hope other places don't use >>> __request_module. (I'm not a fan of this.) >> >> Yes even if it is documented I wouldn't bet on it, though. :-) > > Okay,

Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument

On Tue, May 30, 2017 at 7:59 PM, Kees Cook wrote: [...] >>> I see a few options: >>> >>> 1) keep what you have for v4, and hope other places don't use >>> __request_module. (I'm not a fan of this.) >> >> Yes even if it is documented I wouldn't bet on it, though. :-) > > Okay, we seem to agree:

Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument

On Wed, May 24, 2017 at 7:16 AM, Djalal Harouni wrote: > On Tue, May 23, 2017 at 9:19 PM, Kees Cook wrote: >> On Tue, May 23, 2017 at 3:29 AM, Djalal Harouni wrote: >> Even in the existing code, there is a sense about CAP_NET_ADMIN and >>

Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument

On Wed, May 24, 2017 at 7:16 AM, Djalal Harouni wrote: > On Tue, May 23, 2017 at 9:19 PM, Kees Cook wrote: >> On Tue, May 23, 2017 at 3:29 AM, Djalal Harouni wrote: >> Even in the existing code, there is a sense about CAP_NET_ADMIN and >> CAP_SYS_MODULE having different privilege levels, in

Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument

On Tue, May 23, 2017 at 9:19 PM, Kees Cook wrote: > On Tue, May 23, 2017 at 3:29 AM, Djalal Harouni wrote: [...] >> I think if there is an interface request_module_capable() , then code >> will use it. The DCCP code path did not check capabilities at all

Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument

On Tue, May 23, 2017 at 9:19 PM, Kees Cook wrote: > On Tue, May 23, 2017 at 3:29 AM, Djalal Harouni wrote: [...] >> I think if there is an interface request_module_capable() , then code >> will use it. The DCCP code path did not check capabilities at all and >> called request_module(), other

Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument

On Tue, May 23, 2017 at 3:29 AM, Djalal Harouni wrote: > On Tue, May 23, 2017 at 12:20 AM, Kees Cook wrote: >> On Mon, May 22, 2017 at 4:57 AM, Djalal Harouni wrote: >>> This is a preparation patch for the module auto-load restriction

Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument

On Tue, May 23, 2017 at 3:29 AM, Djalal Harouni wrote: > On Tue, May 23, 2017 at 12:20 AM, Kees Cook wrote: >> On Mon, May 22, 2017 at 4:57 AM, Djalal Harouni wrote: >>> This is a preparation patch for the module auto-load restriction feature. >>> >>> In order to restrict module auto-load

Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument

On Tue, May 23, 2017 at 12:20 AM, Kees Cook wrote: > On Mon, May 22, 2017 at 4:57 AM, Djalal Harouni wrote: >> This is a preparation patch for the module auto-load restriction feature. >> >> In order to restrict module auto-load operations we need to

Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument

On Tue, May 23, 2017 at 12:20 AM, Kees Cook wrote: > On Mon, May 22, 2017 at 4:57 AM, Djalal Harouni wrote: >> This is a preparation patch for the module auto-load restriction feature. >> >> In order to restrict module auto-load operations we need to check if the >> caller has CAP_SYS_MODULE

Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument

On Mon, May 22, 2017 at 4:57 AM, Djalal Harouni wrote: > This is a preparation patch for the module auto-load restriction feature. > > In order to restrict module auto-load operations we need to check if the > caller has CAP_SYS_MODULE capability. This allows to align security >

Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument

On Mon, May 22, 2017 at 4:57 AM, Djalal Harouni wrote: > This is a preparation patch for the module auto-load restriction feature. > > In order to restrict module auto-load operations we need to check if the > caller has CAP_SYS_MODULE capability. This allows to align security > checks of

[PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument

This is a preparation patch for the module auto-load restriction feature. In order to restrict module auto-load operations we need to check if the caller has CAP_SYS_MODULE capability. This allows to align security checks of automatic module loading with the checks of the explicit operations.

[PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument

This is a preparation patch for the module auto-load restriction feature. In order to restrict module auto-load operations we need to check if the caller has CAP_SYS_MODULE capability. This allows to align security checks of automatic module loading with the checks of the explicit operations.