Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Wed, Nov 29, 2017 at 07:35:31PM -0500, Theodore Ts'o wrote: > On Wed, Nov 29, 2017 at 11:28:52AM -0600, Serge E. Hallyn wrote: > > > > Just to be clear, module loading requires - and must always continue to > > require - CAP_SYS_MODULE against the initial user namespace. Containers > > in

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Wed, Nov 29, 2017 at 07:35:31PM -0500, Theodore Ts'o wrote: > On Wed, Nov 29, 2017 at 11:28:52AM -0600, Serge E. Hallyn wrote: > > > > Just to be clear, module loading requires - and must always continue to > > require - CAP_SYS_MODULE against the initial user namespace. Containers > > in

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Wed, Nov 29, 2017 at 11:28:52AM -0600, Serge E. Hallyn wrote: > > Just to be clear, module loading requires - and must always continue to > require - CAP_SYS_MODULE against the initial user namespace. Containers > in user namespaces do not have that. > > I don't believe anyone has ever

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Wed, Nov 29, 2017 at 11:28:52AM -0600, Serge E. Hallyn wrote: > > Just to be clear, module loading requires - and must always continue to > require - CAP_SYS_MODULE against the initial user namespace. Containers > in user namespaces do not have that. > > I don't believe anyone has ever

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Wed, Nov 29, 2017 at 2:45 PM, Linus Torvalds wrote: > On Wed, Nov 29, 2017 at 7:58 AM, David Miller wrote: >> >> We're talking about making sure that loading "ppp.ko" really gets >> ppp.ko rather than some_other_module.ko renamed to ppp.ko

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Wed, Nov 29, 2017 at 2:45 PM, Linus Torvalds wrote: > On Wed, Nov 29, 2017 at 7:58 AM, David Miller wrote: >> >> We're talking about making sure that loading "ppp.ko" really gets >> ppp.ko rather than some_other_module.ko renamed to ppp.ko via some >> other mechanism. >> >> Both modules have

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Wed, Nov 29, 2017 at 7:58 AM, David Miller wrote: > > We're talking about making sure that loading "ppp.ko" really gets > ppp.ko rather than some_other_module.ko renamed to ppp.ko via some > other mechanism. > > Both modules have legitimate signatures so the kernel will

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Wed, Nov 29, 2017 at 7:58 AM, David Miller wrote: > > We're talking about making sure that loading "ppp.ko" really gets > ppp.ko rather than some_other_module.ko renamed to ppp.ko via some > other mechanism. > > Both modules have legitimate signatures so the kernel will happily > load both.

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

Quoting Theodore Ts'o (ty...@mit.edu): > Half the problem here is that with containers, people are changing the > security model, because they want to let untrusted users have "root", > without really having "root". Part of the fundamental problem is that > there are some well-meaning, but

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

Quoting Theodore Ts'o (ty...@mit.edu): > Half the problem here is that with containers, people are changing the > security model, because they want to let untrusted users have "root", > without really having "root". Part of the fundamental problem is that > there are some well-meaning, but

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Wed, Nov 29, 2017 at 10:58:16AM -0500, David Miller wrote: > That's not what we're talking about. > > We're talking about making sure that loading "ppp.ko" really gets > ppp.ko rather than some_other_module.ko renamed to ppp.ko via some > other mechanism. Right, and the best solution to this

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Wed, Nov 29, 2017 at 10:58:16AM -0500, David Miller wrote: > That's not what we're talking about. > > We're talking about making sure that loading "ppp.ko" really gets > ppp.ko rather than some_other_module.ko renamed to ppp.ko via some > other mechanism. Right, and the best solution to this

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

From: Theodore Ts'o Date: Wed, 29 Nov 2017 10:54:06 -0500 > On Wed, Nov 29, 2017 at 09:50:14AM -0500, David Miller wrote: >> From: Alan Cox >> Date: Wed, 29 Nov 2017 13:46:12 + >> >> > I really don't care what the module loading rules end up with

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

From: Theodore Ts'o Date: Wed, 29 Nov 2017 10:54:06 -0500 > On Wed, Nov 29, 2017 at 09:50:14AM -0500, David Miller wrote: >> From: Alan Cox >> Date: Wed, 29 Nov 2017 13:46:12 + >> >> > I really don't care what the module loading rules end up with and >> > whether we add

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Wed, Nov 29, 2017 at 09:50:14AM -0500, David Miller wrote: > From: Alan Cox > Date: Wed, 29 Nov 2017 13:46:12 + > > > I really don't care what the module loading rules end up with and > > whether we add CAP_SYS_YET_ANOTHER_MEANINGLESS_FLAG but what is > >

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Wed, Nov 29, 2017 at 09:50:14AM -0500, David Miller wrote: > From: Alan Cox > Date: Wed, 29 Nov 2017 13:46:12 + > > > I really don't care what the module loading rules end up with and > > whether we add CAP_SYS_YET_ANOTHER_MEANINGLESS_FLAG but what is > > actually needed is to properly

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

From: Alan Cox Date: Wed, 29 Nov 2017 13:46:12 + > I really don't care what the module loading rules end up with and > whether we add CAP_SYS_YET_ANOTHER_MEANINGLESS_FLAG but what is > actually needed is to properly incorporate it into securiy ruiles > for

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

From: Alan Cox Date: Wed, 29 Nov 2017 13:46:12 + > I really don't care what the module loading rules end up with and > whether we add CAP_SYS_YET_ANOTHER_MEANINGLESS_FLAG but what is > actually needed is to properly incorporate it into securiy ruiles > for whatever LSM you are using. I'm

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Tue, 28 Nov 2017 13:39:58 -0800 Kees Cook wrote: > On Tue, Nov 28, 2017 at 1:16 PM, Luis R. Rodriguez wrote: > > And *all* auto-loading uses aliases? What's the difference between > > auto-loading > > and direct-loading? > > The difference is the

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Tue, 28 Nov 2017 13:39:58 -0800 Kees Cook wrote: > On Tue, Nov 28, 2017 at 1:16 PM, Luis R. Rodriguez wrote: > > And *all* auto-loading uses aliases? What's the difference between > > auto-loading > > and direct-loading? > > The difference is the process privileges. Unprivilged

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Tue, Nov 28, 2017 at 11:48:49PM +0100, Luis R. Rodriguez wrote: > On Tue, Nov 28, 2017 at 02:18:18PM -0800, Kees Cook wrote: > > On Tue, Nov 28, 2017 at 2:12 PM, Luis R. Rodriguez > > wrote: > > > On Tue, Nov 28, 2017 at 01:39:58PM -0800, Kees Cook wrote: > > >> On Tue, Nov

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Tue, Nov 28, 2017 at 11:48:49PM +0100, Luis R. Rodriguez wrote: > On Tue, Nov 28, 2017 at 02:18:18PM -0800, Kees Cook wrote: > > On Tue, Nov 28, 2017 at 2:12 PM, Luis R. Rodriguez > > wrote: > > > On Tue, Nov 28, 2017 at 01:39:58PM -0800, Kees Cook wrote: > > >> On Tue, Nov 28, 2017 at 1:16

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Tue, Nov 28, 2017 at 11:18 PM, Luis R. Rodriguez wrote: > On Tue, Nov 28, 2017 at 10:33:27PM +0100, Djalal Harouni wrote: >> On Tue, Nov 28, 2017 at 10:16 PM, Luis R. Rodriguez >> wrote: >> > On Tue, Nov 28, 2017 at 12:11:34PM -0800, Kees Cook wrote: >>

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Tue, Nov 28, 2017 at 11:18 PM, Luis R. Rodriguez wrote: > On Tue, Nov 28, 2017 at 10:33:27PM +0100, Djalal Harouni wrote: >> On Tue, Nov 28, 2017 at 10:16 PM, Luis R. Rodriguez >> wrote: >> > On Tue, Nov 28, 2017 at 12:11:34PM -0800, Kees Cook wrote: >> >> On Tue, Nov 28, 2017 at 11:14 AM,

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Tue, Nov 28, 2017 at 02:18:18PM -0800, Kees Cook wrote: > On Tue, Nov 28, 2017 at 2:12 PM, Luis R. Rodriguez wrote: > > On Tue, Nov 28, 2017 at 01:39:58PM -0800, Kees Cook wrote: > >> On Tue, Nov 28, 2017 at 1:16 PM, Luis R. Rodriguez > >> wrote: > >> >

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Tue, Nov 28, 2017 at 02:18:18PM -0800, Kees Cook wrote: > On Tue, Nov 28, 2017 at 2:12 PM, Luis R. Rodriguez wrote: > > On Tue, Nov 28, 2017 at 01:39:58PM -0800, Kees Cook wrote: > >> On Tue, Nov 28, 2017 at 1:16 PM, Luis R. Rodriguez > >> wrote: > >> > And *all* auto-loading uses aliases?

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Tue, Nov 28, 2017 at 10:33:27PM +0100, Djalal Harouni wrote: > On Tue, Nov 28, 2017 at 10:16 PM, Luis R. Rodriguez wrote: > > On Tue, Nov 28, 2017 at 12:11:34PM -0800, Kees Cook wrote: > >> On Tue, Nov 28, 2017 at 11:14 AM, Luis R. Rodriguez > >> wrote:

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Tue, Nov 28, 2017 at 10:33:27PM +0100, Djalal Harouni wrote: > On Tue, Nov 28, 2017 at 10:16 PM, Luis R. Rodriguez wrote: > > On Tue, Nov 28, 2017 at 12:11:34PM -0800, Kees Cook wrote: > >> On Tue, Nov 28, 2017 at 11:14 AM, Luis R. Rodriguez > >> wrote: > >> > kmod is just a helper to poke

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Tue, Nov 28, 2017 at 2:12 PM, Luis R. Rodriguez wrote: > On Tue, Nov 28, 2017 at 01:39:58PM -0800, Kees Cook wrote: >> On Tue, Nov 28, 2017 at 1:16 PM, Luis R. Rodriguez wrote: >> > And *all* auto-loading uses aliases? What's the difference between >> >

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Tue, Nov 28, 2017 at 2:12 PM, Luis R. Rodriguez wrote: > On Tue, Nov 28, 2017 at 01:39:58PM -0800, Kees Cook wrote: >> On Tue, Nov 28, 2017 at 1:16 PM, Luis R. Rodriguez wrote: >> > And *all* auto-loading uses aliases? What's the difference between >> > auto-loading >> > and direct-loading?

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Tue, Nov 28, 2017 at 01:39:58PM -0800, Kees Cook wrote: > On Tue, Nov 28, 2017 at 1:16 PM, Luis R. Rodriguez wrote: > > And *all* auto-loading uses aliases? What's the difference between > > auto-loading > > and direct-loading? > > The difference is the process privileges.

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Tue, Nov 28, 2017 at 01:39:58PM -0800, Kees Cook wrote: > On Tue, Nov 28, 2017 at 1:16 PM, Luis R. Rodriguez wrote: > > And *all* auto-loading uses aliases? What's the difference between > > auto-loading > > and direct-loading? > > The difference is the process privileges. Unprivilged

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Tue, Nov 28, 2017 at 10:16 PM, Luis R. Rodriguez wrote: > On Tue, Nov 28, 2017 at 12:11:34PM -0800, Kees Cook wrote: >> On Tue, Nov 28, 2017 at 11:14 AM, Luis R. Rodriguez >> wrote: >> > kmod is just a helper to poke userpsace to load a module, that's

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Tue, Nov 28, 2017 at 10:16 PM, Luis R. Rodriguez wrote: > On Tue, Nov 28, 2017 at 12:11:34PM -0800, Kees Cook wrote: >> On Tue, Nov 28, 2017 at 11:14 AM, Luis R. Rodriguez >> wrote: >> > kmod is just a helper to poke userpsace to load a module, that's it. >> > >> > The old init_module() and

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Tue, Nov 28, 2017 at 1:16 PM, Luis R. Rodriguez wrote: > And *all* auto-loading uses aliases? What's the difference between > auto-loading > and direct-loading? The difference is the process privileges. Unprivilged autoloading (e.g. int n_hdlc = N_HDLC; ioctl(fd, TIOCSETD,

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Tue, Nov 28, 2017 at 1:16 PM, Luis R. Rodriguez wrote: > And *all* auto-loading uses aliases? What's the difference between > auto-loading > and direct-loading? The difference is the process privileges. Unprivilged autoloading (e.g. int n_hdlc = N_HDLC; ioctl(fd, TIOCSETD, _hdlc)), triggers

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Tue, Nov 28, 2017 at 12:11:34PM -0800, Kees Cook wrote: > On Tue, Nov 28, 2017 at 11:14 AM, Luis R. Rodriguez wrote: > > kmod is just a helper to poke userpsace to load a module, that's it. > > > > The old init_module() and newer finit_module() do the real handy work or > >

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Tue, Nov 28, 2017 at 12:11:34PM -0800, Kees Cook wrote: > On Tue, Nov 28, 2017 at 11:14 AM, Luis R. Rodriguez wrote: > > kmod is just a helper to poke userpsace to load a module, that's it. > > > > The old init_module() and newer finit_module() do the real handy work or > > module loading, and

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

Hi Luis, On Tue, Nov 28, 2017 at 8:14 PM, Luis R. Rodriguez wrote: > On Mon, Nov 27, 2017 at 06:18:34PM +0100, Djalal Harouni wrote: > ... > >> After a discussion with Rusty Russell [1], the suggestion was to pass >> the capability from request_module() to

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

Hi Luis, On Tue, Nov 28, 2017 at 8:14 PM, Luis R. Rodriguez wrote: > On Mon, Nov 27, 2017 at 06:18:34PM +0100, Djalal Harouni wrote: > ... > >> After a discussion with Rusty Russell [1], the suggestion was to pass >> the capability from request_module() to security_kernel_module_request() >> for

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Tue, Nov 28, 2017 at 11:14 AM, Luis R. Rodriguez wrote: > kmod is just a helper to poke userpsace to load a module, that's it. > > The old init_module() and newer finit_module() do the real handy work or > module loading, and both currently only use may_init_module(): > >

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Tue, Nov 28, 2017 at 11:14 AM, Luis R. Rodriguez wrote: > kmod is just a helper to poke userpsace to load a module, that's it. > > The old init_module() and newer finit_module() do the real handy work or > module loading, and both currently only use may_init_module(): > > static int

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Mon, Nov 27, 2017 at 06:18:34PM +0100, Djalal Harouni wrote: ... > After a discussion with Rusty Russell [1], the suggestion was to pass > the capability from request_module() to security_kernel_module_request() > for 'netdev-%s' modules that need CAP_NET_ADMIN, and after review from > Kees

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

On Mon, Nov 27, 2017 at 06:18:34PM +0100, Djalal Harouni wrote: ... > After a discussion with Rusty Russell [1], the suggestion was to pass > the capability from request_module() to security_kernel_module_request() > for 'netdev-%s' modules that need CAP_NET_ADMIN, and after review from > Kees

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

Hi Randy, On Mon, Nov 27, 2017 at 7:48 PM, Randy Dunlap wrote: > Hi, > > Mostly typos/spellos... > > > On 11/27/2017 09:18 AM, Djalal Harouni wrote: >> Cc: Serge Hallyn >> Cc: Andy Lutomirski >> Suggested-by: Rusty Russell

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

Hi Randy, On Mon, Nov 27, 2017 at 7:48 PM, Randy Dunlap wrote: > Hi, > > Mostly typos/spellos... > > > On 11/27/2017 09:18 AM, Djalal Harouni wrote: >> Cc: Serge Hallyn >> Cc: Andy Lutomirski >> Suggested-by: Rusty Russell >> Suggested-by: Kees Cook >> Signed-off-by: Djalal Harouni >> ---

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

Hi, Mostly typos/spellos... On 11/27/2017 09:18 AM, Djalal Harouni wrote: > Cc: Serge Hallyn > Cc: Andy Lutomirski > Suggested-by: Rusty Russell > Suggested-by: Kees Cook > Signed-off-by: Djalal Harouni

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

Hi, Mostly typos/spellos... On 11/27/2017 09:18 AM, Djalal Harouni wrote: > Cc: Serge Hallyn > Cc: Andy Lutomirski > Suggested-by: Rusty Russell > Suggested-by: Kees Cook > Signed-off-by: Djalal Harouni > --- > include/linux/kmod.h | 65 >