| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YUIZKagx0bjJ3PEm@kroah.com>
Date: Wed, 15 Sep 2021 18:02:49 +0200
From: Greg KH <gregkh@...uxfoundation.org>
To: Thomas Weißschuh <thomas@...ch.de>
Cc: linux-api@...r.kernel.org, linux-kernel@...r.kernel.org,
Luis Chamberlain <mcgrof@...nel.org>,
Jessica Yu <jeyu@...nel.org>
Subject: Re: [RFC] Expose request_module via syscall
On Wed, Sep 15, 2021 at 05:49:34PM +0200, Thomas Weißschuh wrote:
> Hi,
>
> I would like to propose a new syscall that exposes the functionality of
> request_module() to userspace.
>
> Propsed signature: request_module(char *module_name, char **args, int flags);
> Where args and flags have to be NULL and 0 for the time being.
>
> Rationale:
>
> We are using nested, privileged containers which are loading kernel modules.
> Currently we have to always pass around the contents of /lib/modules from the
> root namespace which contains the modules.
> (Also the containers need to have userspace components for moduleloading
> installed)
>
> The syscall would remove the need for this bookkeeping work.
So you want any container to have the ability to "bust through" the
containers and load a module from the "root" of the system?
That feels dangerous, why not just allow a mount of /lib/modules into
the containers that you want to be able to load a module?
Why are modules somehow "special" here, they are just a resource that
has to be allowed (or not) to be accessed by a container like anything
else on a filesystem.
thanks,
greg k-h
Powered by blists - more mailing lists