[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20110326103539.GA4719@albatros>
Date: Sat, 26 Mar 2011 13:35:39 +0300
From: Vasiliy Kulikov <segoon@...nwall.com>
To: David Miller <davem@...emloft.net>
Cc: shemminger@...tta.com, serge.hallyn@...ntu.com,
bhutchings@...arflare.com, eparis@...hat.com,
eparis@...isplace.org, linux-kernel@...r.kernel.org,
mjt@....msk.ru, arnd@...db.de, mirqus@...il.com,
netdev@...r.kernel.org, kuznet@....inr.ac.ru, pekkas@...core.fi,
jmorris@...ei.org, yoshfuji@...ux-ipv6.org, kaber@...sh.net,
eric.dumazet@...il.com, therbert@...gle.com, xiaosuo@...il.com,
jesse@...ira.com, kees.cook@...onical.com, eugene@...hat.com,
dan.j.rosenberg@...il.com, akpm@...ux-foundation.org,
greg@...ah.com, sds@...ho.nsa.gov,
linux-security-module@...r.kernel.org, dwalsh@...hat.com,
dhowells@...hat.com
Subject: Re: [PATCH v2] net: don't allow CAP_NET_ADMIN to load non-netdev
kernel modules
On Thu, Mar 24, 2011 at 14:46 -0700, David Miller wrote:
> You can't say "userland will fix things up"
>
> Because we're never supposed to break userland in the first place.
I admit that the patch breaks things.
But the thing is that kernel changes _are_ breaking userspace here and
there, not only by such obvious policy changes, but by indirect changes.
Note that the patch that changed CAP_SYS_MODULE to CAP_NET_ADMIN has
broken userspace behavior too - one could load modules with
CAP_SYS_MODULE without CAP_NET_ADMIN via "ifconfig wifi0" and after the
patch it could not.
Look at this patch:
http://patchwork.ozlabs.org/patch/42148/
It breaks userspace tools too - one might run LSM in learning mode to
create a profile for netfilter configuring, saw it didn't need any CAP_*
and totally denied them in the profile. After many years (the bug was
fixed after 5+ years!) of good work it was broken by the patch. The same
with plenty of patches that introduce different checks in places where
there were no permission checks at all or these checks were broken.
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists