On Wed, Nov 29, 2017 at 07:35:31PM -0500, Theodore Ts'o wrote:
> On Wed, Nov 29, 2017 at 11:28:52AM -0600, Serge E. Hallyn wrote:
> >
> > Just to be clear, module loading requires - and must always continue to
> > require - CAP_SYS_MODULE against the initial user namespace. Containers
> > in user
On Wed, Nov 29, 2017 at 11:28:52AM -0600, Serge E. Hallyn wrote:
>
> Just to be clear, module loading requires - and must always continue to
> require - CAP_SYS_MODULE against the initial user namespace. Containers
> in user namespaces do not have that.
>
> I don't believe anyone has ever claime
On Wed, Nov 29, 2017 at 2:45 PM, Linus Torvalds
wrote:
> On Wed, Nov 29, 2017 at 7:58 AM, David Miller wrote:
>>
>> We're talking about making sure that loading "ppp.ko" really gets
>> ppp.ko rather than some_other_module.ko renamed to ppp.ko via some
>> other mechanism.
>>
>> Both modules have l
On Wed, Nov 29, 2017 at 7:58 AM, David Miller wrote:
>
> We're talking about making sure that loading "ppp.ko" really gets
> ppp.ko rather than some_other_module.ko renamed to ppp.ko via some
> other mechanism.
>
> Both modules have legitimate signatures so the kernel will happily
> load both.
Ye
Quoting Theodore Ts'o (ty...@mit.edu):
> Half the problem here is that with containers, people are changing the
> security model, because they want to let untrusted users have "root",
> without really having "root". Part of the fundamental problem is that
> there are some well-meaning, but fundame
On Wed, Nov 29, 2017 at 10:58:16AM -0500, David Miller wrote:
> That's not what we're talking about.
>
> We're talking about making sure that loading "ppp.ko" really gets
> ppp.ko rather than some_other_module.ko renamed to ppp.ko via some
> other mechanism.
Right, and the best solution to this p
From: Theodore Ts'o
Date: Wed, 29 Nov 2017 10:54:06 -0500
> On Wed, Nov 29, 2017 at 09:50:14AM -0500, David Miller wrote:
>> From: Alan Cox
>> Date: Wed, 29 Nov 2017 13:46:12 +
>>
>> > I really don't care what the module loading rules end up with and
>> > whether we add CAP_SYS_YET_ANOTHER_
On Wed, Nov 29, 2017 at 09:50:14AM -0500, David Miller wrote:
> From: Alan Cox
> Date: Wed, 29 Nov 2017 13:46:12 +
>
> > I really don't care what the module loading rules end up with and
> > whether we add CAP_SYS_YET_ANOTHER_MEANINGLESS_FLAG but what is
> > actually needed is to properly inc
From: Alan Cox
Date: Wed, 29 Nov 2017 13:46:12 +
> I really don't care what the module loading rules end up with and
> whether we add CAP_SYS_YET_ANOTHER_MEANINGLESS_FLAG but what is
> actually needed is to properly incorporate it into securiy ruiles
> for whatever LSM you are using.
I'm sur
On Tue, 28 Nov 2017 13:39:58 -0800
Kees Cook wrote:
> On Tue, Nov 28, 2017 at 1:16 PM, Luis R. Rodriguez wrote:
> > And *all* auto-loading uses aliases? What's the difference between
> > auto-loading
> > and direct-loading?
>
> The difference is the process privileges. Unprivilged autoloadin
On Tue, Nov 28, 2017 at 11:48:49PM +0100, Luis R. Rodriguez wrote:
> On Tue, Nov 28, 2017 at 02:18:18PM -0800, Kees Cook wrote:
> > On Tue, Nov 28, 2017 at 2:12 PM, Luis R. Rodriguez
> > wrote:
> > > On Tue, Nov 28, 2017 at 01:39:58PM -0800, Kees Cook wrote:
> > >> On Tue, Nov 28, 2017 at 1:16 PM
On Tue, Nov 28, 2017 at 11:18 PM, Luis R. Rodriguez wrote:
> On Tue, Nov 28, 2017 at 10:33:27PM +0100, Djalal Harouni wrote:
>> On Tue, Nov 28, 2017 at 10:16 PM, Luis R. Rodriguez
>> wrote:
>> > On Tue, Nov 28, 2017 at 12:11:34PM -0800, Kees Cook wrote:
>> >> On Tue, Nov 28, 2017 at 11:14 AM, Lu
On Tue, Nov 28, 2017 at 02:18:18PM -0800, Kees Cook wrote:
> On Tue, Nov 28, 2017 at 2:12 PM, Luis R. Rodriguez wrote:
> > On Tue, Nov 28, 2017 at 01:39:58PM -0800, Kees Cook wrote:
> >> On Tue, Nov 28, 2017 at 1:16 PM, Luis R. Rodriguez
> >> wrote:
> >> > And *all* auto-loading uses aliases? Wh
On Tue, Nov 28, 2017 at 10:33:27PM +0100, Djalal Harouni wrote:
> On Tue, Nov 28, 2017 at 10:16 PM, Luis R. Rodriguez wrote:
> > On Tue, Nov 28, 2017 at 12:11:34PM -0800, Kees Cook wrote:
> >> On Tue, Nov 28, 2017 at 11:14 AM, Luis R. Rodriguez
> >> wrote:
> >> > kmod is just a helper to poke us
On Tue, Nov 28, 2017 at 2:12 PM, Luis R. Rodriguez wrote:
> On Tue, Nov 28, 2017 at 01:39:58PM -0800, Kees Cook wrote:
>> On Tue, Nov 28, 2017 at 1:16 PM, Luis R. Rodriguez wrote:
>> > And *all* auto-loading uses aliases? What's the difference between
>> > auto-loading
>> > and direct-loading?
>
On Tue, Nov 28, 2017 at 01:39:58PM -0800, Kees Cook wrote:
> On Tue, Nov 28, 2017 at 1:16 PM, Luis R. Rodriguez wrote:
> > And *all* auto-loading uses aliases? What's the difference between
> > auto-loading
> > and direct-loading?
>
> The difference is the process privileges. Unprivilged autoloa
On Tue, Nov 28, 2017 at 10:16 PM, Luis R. Rodriguez wrote:
> On Tue, Nov 28, 2017 at 12:11:34PM -0800, Kees Cook wrote:
>> On Tue, Nov 28, 2017 at 11:14 AM, Luis R. Rodriguez
>> wrote:
>> > kmod is just a helper to poke userpsace to load a module, that's it.
>> >
>> > The old init_module() and n
On Tue, Nov 28, 2017 at 1:16 PM, Luis R. Rodriguez wrote:
> And *all* auto-loading uses aliases? What's the difference between
> auto-loading
> and direct-loading?
The difference is the process privileges. Unprivilged autoloading
(e.g. int n_hdlc = N_HDLC; ioctl(fd,
TIOCSETD, &n_hdlc)), triggers
On Tue, Nov 28, 2017 at 12:11:34PM -0800, Kees Cook wrote:
> On Tue, Nov 28, 2017 at 11:14 AM, Luis R. Rodriguez wrote:
> > kmod is just a helper to poke userpsace to load a module, that's it.
> >
> > The old init_module() and newer finit_module() do the real handy work or
> > module loading, and
Hi Luis,
On Tue, Nov 28, 2017 at 8:14 PM, Luis R. Rodriguez wrote:
> On Mon, Nov 27, 2017 at 06:18:34PM +0100, Djalal Harouni wrote:
> ...
>
>> After a discussion with Rusty Russell [1], the suggestion was to pass
>> the capability from request_module() to security_kernel_module_request()
>> for
On Tue, Nov 28, 2017 at 11:14 AM, Luis R. Rodriguez wrote:
> kmod is just a helper to poke userpsace to load a module, that's it.
>
> The old init_module() and newer finit_module() do the real handy work or
> module loading, and both currently only use may_init_module():
>
> static int may_init_mo
On Mon, Nov 27, 2017 at 06:18:34PM +0100, Djalal Harouni wrote:
...
> After a discussion with Rusty Russell [1], the suggestion was to pass
> the capability from request_module() to security_kernel_module_request()
> for 'netdev-%s' modules that need CAP_NET_ADMIN, and after review from
> Kees Coo
Hi Randy,
On Mon, Nov 27, 2017 at 7:48 PM, Randy Dunlap wrote:
> Hi,
>
> Mostly typos/spellos...
>
>
> On 11/27/2017 09:18 AM, Djalal Harouni wrote:
>> Cc: Serge Hallyn
>> Cc: Andy Lutomirski
>> Suggested-by: Rusty Russell
>> Suggested-by: Kees Cook
>> Signed-off-by: Djalal Harouni
>> ---
>>
Hi,
Mostly typos/spellos...
On 11/27/2017 09:18 AM, Djalal Harouni wrote:
> Cc: Serge Hallyn
> Cc: Andy Lutomirski
> Suggested-by: Rusty Russell
> Suggested-by: Kees Cook
> Signed-off-by: Djalal Harouni
> ---
> include/linux/kmod.h | 65
> ++---
This is a preparation patch to improve the module auto-load
infrastructure.
We need this patch to have more control on module auto-load operations.
The operation by default is allowed unless enduser or the calling code
requests that we need to perform futher permission checks.
With this change su
25 matches
Mail list logo
