Re: [PATCH] don't allow CAP_NET_ADMIN to load non-netdev kernelmodules
From: Vasiliy Kulikov
Date: Mon Feb 28 2011 - 04:51:44 EST
On Mon, Feb 28, 2011 at 12:29 +0300, Michael Tokarev wrote:
> 27.02.2011 23:22, Arnd Bergmann wrote:
> > The backwards compatibility should mostly be for systems that today don't
> > use split capabilities, right?
> >
> > The fallback could therefore rely on CAP_SYS_MODULE as well:
> >
> > if (request_module("netdev-%s", name)) {
> > if (capable(CAP_SYS_MODULE))
> > request_module("%s", name);
> > }
> >
> > Not 100% solution, but should solve the capability escalation nicely without
> > causing much pain.
>
> To me this looks like the best solution so far - trivial and
> compatible.
Agreed, it's looks good. But before the request_module() there is a check
for capabile(CAP_NET_ADMIN), IMO it's better to request either
CAP_NET_ADMIN or CAP_SYS_MODULE, not both of them.
if (!dev) {
if (capable(CAP_NET_ADMIN))
request_module("netdev-%s", name))
if (capable(CAP_SYS_MODULE) {
if (!request_module("%s", name))
WARN_ONE(1, "Loading kernel module for a network device"
" with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias"
" netdev-%s instead\n", name);
}
}
The only drawback is distributions/setups that already use
CAP_SYS_MODULE'less network scripts.
David, are you OK with this way?
Thanks,
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/