From patchwork Mon Nov 27 17:18:38 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Djalal Harouni X-Patchwork-Id: 10077653 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 5B316602BC for ; Mon, 27 Nov 2017 17:20:24 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3DC3127FA8 for ; Mon, 27 Nov 2017 17:20:24 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 320F628A35; Mon, 27 Nov 2017 17:20:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_MED, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 1785127FA8 for ; Mon, 27 Nov 2017 17:20:22 +0000 (UTC) Received: (qmail 32014 invoked by uid 550); 27 Nov 2017 17:19:35 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 31843 invoked from network); 27 Nov 2017 17:19:32 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=XSL+L5EPWRMMfUP8YuGz7oFWd3tU0M0yPScTD8vqSH4=; b=AXw9X9I/6ShQI6uk49qKA8CVkFcEUntqGOv/p4ecIIxyCE6lk5PhIvsGtBGY6n8ld2 6jvwfR4a+W8xbNgsujQOwKQaRqjDtPjRmRBVVXRoy2lwBJjeAjcgVoWEqmv1r5e7KBWC 0OmiszJwB+dPvrsFTeu+ltDZKOTpzrJT8Eq7QNsNCQ+loyzi9x4yhJKxw+SbVoKYL04E P+yMI0NL14Eudh9Ve7w7k4vZ235lp06+/0FjriWcD5U/S3WbWnsbhpSiRSgqn73he+lx ig5mhXNkuWREBfeD4Zc4vJi3/Nu6OslA4wDvZ5zmGFT8KhqsD91kj8KlHlop12jmpIgw +j/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=XSL+L5EPWRMMfUP8YuGz7oFWd3tU0M0yPScTD8vqSH4=; b=dVLRG1nn8AcjJ9ww1QcCLx8o6r8cdykRgnJuN4tpHigMsX7w1eMHjWh+NGbEFmngim OsFLMU7MMo3PQpvjKvwgsxhP0qatbjz5iws5A2YN+k1c7imFmfEreRk5wy3u4qr27nV0 Xlq6Zgq2Vlwvezz9v68afNNPvZTTvgJv7xhxFGx6eaQ0u9BgAgCYdNVq8KeraAjXKQs1 OSvL+X3f3pY8MBG30sq6KRBNeoUM3OhJlvk2NxCCYA3psq7ivN2Kzd5mGblT325hFah+ q6m7KXmojYtTdkU1OCYIGaYGY/eySDZ0jDov6MDW9S+lMMVnCElQJLnwurBGCXuCt9su bS4A== X-Gm-Message-State: AJaThX77J4XrquFMz21Y/MhKxLI8xqd25TD/2kMfzSNJw9LlxgdyvGFi tFM73vEGcOy1I/0wjLMYwxw= X-Google-Smtp-Source: AGs4zMaYFOXJssKxhw0ZIjojD5I8tfw6nIIjUxHIaKLZ0XN+3DdSdMiLWbgVyyWEiDkdDIG3BjTwrg== X-Received: by 10.80.174.143 with SMTP id e15mr55154850edd.10.1511803160689; Mon, 27 Nov 2017 09:19:20 -0800 (PST) From: Djalal Harouni To: Kees Cook , Andy Lutomirski , Andrew Morton , "Luis R. Rodriguez" , James Morris , Ben Hutchings , Solar Designer , Serge Hallyn , Jessica Yu , Rusty Russell , linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, kernel-hardening@lists.openwall.com Cc: Jonathan Corbet , Ingo Molnar , "David S. Miller" , netdev@vger.kernel.org, Peter Zijlstra , Linus Torvalds , Djalal Harouni Date: Mon, 27 Nov 2017 18:18:38 +0100 Message-Id: <1511803118-2552-6-git-send-email-tixxdz@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1511803118-2552-1-git-send-email-tixxdz@gmail.com> References: <1511803118-2552-1-git-send-email-tixxdz@gmail.com> Subject: [kernel-hardening] [PATCH v5 next 5/5] net: modules: use request_module_cap() to load 'netdev-%s' modules X-Virus-Scanned: ClamAV using ClamSMTP This uses the new request_module_cap() facility to directly propagate CAP_NET_ADMIN capability and the 'netdev' module prefix to the capability subsystem as it was suggested. We do not remove the explicit capable(CAP_NET_ADMIN) check here, but we may remove it in future versions since it is also performed by the capability subsystem. This allows to have a better interface where other subsystems will just use this call and let the capability subsystem handles the permission checks, if the modules should be loaded or not. This is also an infrastructure fix since historically Linux always allowed to auto-load modules without privileges, and later the net code started to check capabilities and prefixes, adapted the CAP_NET_ADMIN check with the 'netdev' prefix to prevent abusing the capability by loading non-netdev modules. However from a bigger picture we want to continue to support automatic module loading as non privileged but also implement easy policy solutions like: User=djalal DenyNewFeatures=no Which will translate to allow the interactive user djalal to load extra Linux features. Others, volatile accounts or guests can be easily blocked from doing so. We have introduced in previous patches the necessary infrastructure and now with this change we start to use the new request_module_cap() function to explicitly tell the capability subsystem that we want to auto-load modules with CAP_NET_ADMIN if they are prefixed. This is also based on suggestions from Rusty Russel and Kees Cook [1] [1] https://lkml.org/lkml/2017/4/26/735 Cc: Ben Hutchings Cc: James Morris Cc: Serge Hallyn Cc: Solar Designer Cc: Andy Lutomirski Suggested-by: Rusty Russell Suggested-by: Kees Cook Signed-off-by: Djalal Harouni --- net/core/dev_ioctl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c index 7e690d0..fdd8560 100644 --- a/net/core/dev_ioctl.c +++ b/net/core/dev_ioctl.c @@ -382,8 +382,10 @@ void dev_load(struct net *net, const char *name) rcu_read_unlock(); no_module = !dev; + /* "netdev-%s" modules are allowed if CAP_NET_ADMIN is set */ if (no_module && capable(CAP_NET_ADMIN)) - no_module = request_module("netdev-%s", name); + no_module = request_module_cap(CAP_NET_ADMIN, "netdev", + "%s", name); if (no_module && capable(CAP_SYS_MODULE)) request_module("%s", name); }