lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20140809170344.0352b16c@haswell.linuxnetplumber.net>
Date:	Sat, 9 Aug 2014 17:03:44 -0700
From:	Stephen Hemminger <stephen@...workplumber.org>
To:	Marcel Holtmann <marcel@...tmann.org>
Cc:	Daniel Borkmann <dborkman@...hat.com>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: Re: Use CAP_NET_ADMIN and alias netdev-nlmon instead

On Sat, 9 Aug 2014 13:23:24 -0700
Marcel Holtmann <marcel@...tmann.org> wrote:

> Hi Daniel,
> 
> >> so I am running this command sequence:
> >> 
> >> 	ip link add name nlmon type nlmon
> >> 	ip link set dev nlmon up
> >> 
> >> With that I get this message in dmesg:
> >> 
> >> Loading kernel module for a network device with CAP_SYS_MODULE (deprecated).
> > > Use CAP_NET_ADMIN and alias netdev-nlmon instead.
> >> 
> >> The kernel section producing this is dev_load() from net/core/dev_ioctl.c:
> >> 
> >>         no_module = !dev;
> >>         if (no_module && capable(CAP_NET_ADMIN))
> >>                 no_module = request_module("netdev-%s", name);
> >>         if (no_module && capable(CAP_SYS_MODULE)) {
> >>                 if (!request_module("%s", name))
> >>                         pr_warn("Loading kernel module for a network device with CAP_SYS_MODULE (deprecated).  Use CAP_NET_ADMIN and alias netdev-%s instead.\n",
> >>                                 name);
> >>         }
> >> 
> >> Since I am explicitly giving the name from userspace, I have no idea why the
> > > kernel bugs me in providing netdev-nlmon alias. It makes no sense to me. What
> > > is the reasoning behind this?
> > 
> > Could it just be that your process doesn't have CAP_NET_ADMIN set
> > but CAP_SYS_MODULE instead thus triggering this pr_warn()?
> > 
> > grep Cap /proc/$$/status ?
> > 
> > Hm, I don't think this is nlmon related, above works fine on my side.
> 
> so I have not nlmon.ko loaded or compiled into the kernel. This means the ip command will trigger the autoloading. Command is either run with sudo or as root. So this is not a capability issue.
> 
> I think this is just a wrong check when handling loading of modules. I still do not understand how a netdev-%s alias makes any sense. Or even trying to load module nlmon.ko since I created interface nlmon.
> 
> The real module loading should also be done in the type and not the name.
> 
> Regards
> 
> Marcel
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


The netdev module alias is a hold over from the past. For normal device people
used to create a alias eth0 to and point it to the type of network device used, that
was back in the bad old ISA days before real discovery.

Also, the tunnels create module alias for the control device and ip used to use
this to autoload the tunnel device.

The message is bogus and should just be removed, I also see it in a couple of other cases
where tap devices are renamed for  other usese.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ