lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <20140905.120500.1765085127279000120.davem@davemloft.net>
Date:	Fri, 05 Sep 2014 12:05:00 -0700 (PDT)
From:	David Miller <davem@...emloft.net>
To:	dborkman@...hat.com
Cc:	marcel@...tmann.org, stephen@...workplumber.org,
	netdev@...r.kernel.org, segoon@...nwall.com
Subject: Re: [PATCH net-next] dev_ioctl: remove dev_load() CAP_SYS_MODULE
 message

From: Daniel Borkmann <dborkman@...hat.com>
Date: Tue,  2 Sep 2014 23:30:05 +0200

> Marcel reported to see the following message when autoloading
> is being triggered when adding nlmon device:
> 
>   Loading kernel module for a network device with
>   CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias
>   netdev-nlmon instead.
> 
> This false-positive happens despite with having correct
> capabilities set, e.g. through issuing `ip link del dev nlmon`
> more than once on a valid device with name nlmon, but Marcel
> has also seen it on creation time when no nlmon module is
> previously compiled-in or loaded as module and the device
> name equals a link type name (e.g. nlmon, vxlan, team).
> 
> Stephen says:
> 
>   The netdev module alias is a hold over from the past. For
>   normal devices, people used to create a alias eth0 to and
>   point it to the type of network device used, that was back
>   in the bad old ISA days before real discovery.
> 
>   Also, the tunnels create module alias for the control device
>   and ip used to use this to autoload the tunnel device.
> 
>   The message is bogus and should just be removed, I also see
>   it in a couple of other cases where tap devices are renamed
>   for other usese.
> 
> As mentioned in 8909c9ad8ff0 ("net: don't allow CAP_NET_ADMIN
> to load non-netdev kernel modules"), we nevertheless still
> might want to leave the old autoloading behaviour in place
> as it could break old scripts, so for now, lets just remove
> the log message as Stephen suggests.
> 
> Reference: http://thread.gmane.org/gmane.linux.kernel/1105168
> Reported-by: Marcel Holtmann <marcel@...tmann.org>
> Suggested-by: Stephen Hemminger <stephen@...workplumber.org>
> Signed-off-by: Daniel Borkmann <dborkman@...hat.com>
> Cc: Vasiliy Kulikov <segoon@...nwall.com>
> ---
>  (Sending to net-next as I don't think it's very urgent.)

Applied, thanks Daniel.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ