On Tue, Oct 14, 2014 at 10:44:26PM +0400, ds wrote: > On 14.10.2014 22:37, Martin Pitt wrote: > >Note that at least CAP_SYS_MODULE is equivalent to root (as you can > >load any local .ko which can then provide you with a backdoor into > >the kernel), > > I guess you have to put the .ko file at a protected place of > filesystem for it to get loaded.
No, the init_module(2) syscall takes the module image as a buffer in memory, and you can use that syscall if you have CAP_SYS_MODULE. > And maybe it would even require recompiling kernel with your .ko in > mind. It is very unlikely that one would not be able to find some way to escalate to root given the ability to construct an arbitrary kernel module, without needing to recompile the kernel. In general, once an attacker can load kernel modules, you've already lost. Martin's right - CAP_SYS_MODULE is functionally equivalent to root. -- Colin Watson [cjwat...@ubuntu.com] -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
