[PATCH v5 next 0/5] Improve Module autoloading infrastructure
Linus Torvalds
torvalds at linux-foundation.org
Mon Nov 27 19:02:20 UTC 2017
On Mon, Nov 27, 2017 at 10:41 AM, Linus Torvalds
<torvalds at linux-foundation.org> wrote:
>
> What are the real life use-cases for normal users having modules auto-load?
Well, I could do some testing. One case is apparently both bluetoothd
and ip6tables that have been converted to indeed use CAP_NET_ADMIN.
Annoying.
Still, can't we just say "you need to have capabilities" and leave it at that?
Something (UNTESTED and whitespace damaged) like this:
diff --git a/kernel/kmod.c b/kernel/kmod.c
index bc6addd9152b..a3f3218f66c6 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -139,6 +139,11 @@ int __request_module(bool wait, const char *fmt, ...)
if (!modprobe_path[0])
return 0;
+ if (WARN_ON_ONCE(!capable(CAP_SYS_MODULE) ||
+ !capable(CAP_SYS_ADMIN) ||
+ !capable(CAP_NET_ADMIN)))
+ return -EPERM;
+
va_start(args, fmt);
ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
va_end(args);
instead of adding complex infrastructure for something people might
not want anyway?
Now, the above will not necessarily work with a legacy /dev/ directory
where al the nodes have been pre-populated, and opening the device
node is supposed to load the module. So _historically_ we did indeed
load modules as normal users. But does that really happen any more?
I'd hate to default to historical behavior if there's no actual reason to do so.
Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list