lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 07 Jan 2011 15:32:13 -0500
From:	Eric Paris <eparis@...hat.com>
To:	"Eric W. Biederman" <ebiederm@...ssion.com>
Cc:	Amerigo Wang <amwang@...hat.com>, linux-kernel@...r.kernel.org,
	kexec@...ts.infradead.org
Subject: Re: [Patch] kexec_load: check CAP_SYS_MODULE

On Fri, 2011-01-07 at 12:10 -0800, Eric W. Biederman wrote:
> Eric Paris <eparis@...isplace.org> writes:

> >> CAP_SYS_BOOT is the correct capability.  Sure you can run any
> >> code but only after rebooting.  I don't see how this differs
> >> from any other reboot scenario.
> >
> > The difference is that after a reboot the bootloader and the system
> > control what code is run.  kexec_load() immediately runs the new
> > kernel which is not controlled by the bootloader or by the system.
> > Imagine a situation where the bootloader and the /boot directory are
> > RO (enforced by hardware).   kexec_load() would let you run any kernel
> > code you want on the box whereas reboot would not.
> 
> The scenario is imaginable (not common but imaginable) but I don't see
> how requiring CAP_SYS_MODULE makes anything better.
> 
> If I was building a configuration where I didn't want anyone to be able
> to direct the kernel into a different state by locking down the
> bootloaders I expect I would compile out the syscall as well.

As sad as it may sound the vast majority of people don't build their own
kernels.  And even those people who have the intelligence to do it are
often constrained by some non-technical policy to run 'approved'
kernels. 

> Most bootloaders have the option of booting something else the mechanism
> is just different. I really don't see what the addition of
> CAP_SYS_MODULE gains you.
> 
> Right now CAP_SYS_BOOT still makes sense to me and CAP_SYS_MODULE stills
> seems like nonsense in this context.

There is no question in my mind that CAP_SYS_BOOT makes sense.  We are
violently agreed on that point.  The problem is reboot() != kexec_load()
kexec_load() is as close to init_module() as it is to reboot().

Maybe I didn't make it clear how this is going to be used.  I plan to
drop CAP_SYS_MODULE to stop root from loading their own modules and
running their own code in the kernel.  I can control reboot() since I
control the platform and the bootloader.  I cannot control kexec().  I'm
also required to use a generic distro kernel (bet you can't guess which
one)

The only solution I see to solve the problem is to gate kexec on
CAP_SYS_MODULE.  Which makes sense since kexec() is in many respects
close to module_init() than it is to reboot().

-Eric

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ