[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1299708672.17577.42.camel@unknown001a4b0c2895>
Date: Wed, 09 Mar 2011 17:11:12 -0500
From: Eric Paris <eparis@...hat.com>
To: Greg KH <greg@...ah.com>
Cc: linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org, dhowells@...hat.com,
jmorris@...ei.org, serge.hallyn@...onical.com, morgan@...nel.org
Subject: Re: [PATCH -v2] capabilites: allow the application of capability
limits to usermode helpers
On Wed, 2011-03-09 at 13:38 -0800, Greg KH wrote:
> On Wed, Mar 09, 2011 at 02:33:31PM -0500, Eric Paris wrote:
> > There is no way to limit the capabilities of usermodehelpers. This problem
> > reared its head recently when someone complained that any user with
> > cap_net_admin was able to load arbitrary kernel modules, even though the user
> > didn't have cap_sys_module. The reason is because the actual load is done by
> > a usermode helper and those always have the full cap set. This patch addes new
> > sysctls which allow us to bound the permissions of usermode helpers.
> >
> > /proc/sys/kernel/usermodehelper/bset
> > /proc/sys/kernel/usermodehelper/inheritable
>
> Shouldn't these be documented somewhere? Documentation/ABI?
Yes, they should. Will do.
> > You must have CAP_SYS_MODULE to change these (changes are &= ONLY).
>
> Why that permission? Just because 'modprobe' is usually run from this
> callback? Or some other reason?
I don't have a good answer for this. I was originally looking at this
thinking about modprobe. Since it's a purely restrictive interface I
probably don't need something quite so strong. I'm trying to decide
what the implications are of usemode helpers being forced to run with
reduced permissions. Andrew, do you have thoughts?
> > When the kernel launches a usermodehelper it will do so with these as
> > the bset and pI.
>
> Shouldn't the caller of these functions be the ones dictating the
> capabilities it should be run with?
Yes. And no. It depends what you mean. The caps of the 'caller' task
are irrelevant. If I run ifconfig ipv6 I need CAP_NET_ADMIN but the
upcall needs CAP_SYS_MODULE. If I plug in a USB drive there is no
'caller' task which makes sense.
Now if by 'caller' you mean 'call site' then yes, we could probably
launch usermodehelpers with reduced privileged sets. We know in the
code when we are asking to launch modprobe that we are going to need
CAP_SYS_MODULE and don't need caps like CAP_SYS_RAWIO and CAP_MAC_ADMIN.
We know when we upcall to hotplug we don't really need any priv, since
it's another task that is going to do the real work. So yeah, there
might be some value in another patch to address this....
But neither solves the problem of being able to eliminate capabilities
from a machine globally. In olden times we had a global cap-bound but
it was dropped in favor of an inheritance from init type mechanism.
Since kthreads don't inherit from init we still end up with this patch.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists