Re: [Patch] kexec_load: check CAP_SYS_MODULE

[Eric W. Biederman]

Amerigo Wang <amwang@xxxxxxxxxx> writes:

> Eric pointed out that kexec_load() actually allows you to
> run any code you want in ring0, this is more like CAP_SYS_MODULE.

Let me get this straight you want to make the permission checks
less stringent by allowing either CAP_SYS_MODULE or CAP_SYS_BOOT?

CAP_SYS_BOOT is the correct capability.  Sure you can run any
code but only after rebooting.  I don't see how this differs
from any other reboot scenario.

Eric


> Reported-by: Eric Paris <eparis@xxxxxxxxxx>
> Signed-off-by: WANG Cong <amwang@xxxxxxxxxx>
>
> ---
> diff --git a/kernel/kexec.c b/kernel/kexec.c
> index b55045b..c30d613 100644
> --- a/kernel/kexec.c
> +++ b/kernel/kexec.c
> @@ -945,7 +945,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
>  	int result;
>  
>  	/* We only trust the superuser with rebooting the system. */
> -	if (!capable(CAP_SYS_BOOT))
> +	if (!capable(CAP_SYS_BOOT) || !capable(CAP_SYS_MODULE))
>  		return -EPERM;
>  
>  	/*
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/