|
|
Log in / Subscribe / Register

Re: [PATCH] don't allow CAP_NET_ADMIN to load non-netdev kernel modules

[Posted March 2, 2011 by jake]

From:  Arnd Bergmann <arnd-AT-arndb.de>
To:  Micha³ Miros³aw <mirqus-AT-gmail.com>
Subject:  Re: [PATCH] don't allow CAP_NET_ADMIN to load non-netdev kernel modules
Date:  Sun, 27 Feb 2011 21:22:52 +0100
Message-ID:  <201102272122.52643.arnd@arndb.de>
Cc:  Ben Hutchings <bhutchings-AT-solarflare.com>, David Miller <davem-AT-davemloft.net>, segoon-AT-openwall.com, netdev-AT-vger.kernel.org, linux-kernel-AT-vger.kernel.org, kuznet-AT-ms2.inr.ac.ru, pekkas-AT-netcore.fi, jmorris-AT-namei.org, yoshfuji-AT-linux-ipv6.org, kaber-AT-trash.net, eric.dumazet-AT-gmail.com, therbert-AT-google.com, xiaosuo-AT-gmail.com, jesse-AT-nicira.com, kees.cook-AT-canonical.com, eugene-AT-redhat.com, dan.j.rosenberg-AT-gmail.com, akpm-AT-linux-foundation.org
Archive‑link:  Article

On Friday 25 February 2011, Micha? Miros?aw wrote:
> > diff --git a/net/core/dev.c b/net/core/dev.c
> > index 54aaca6..0d09baa 100644
> > --- a/net/core/dev.c
> > +++ b/net/core/dev.c
> > @@ -1120,8 +1120,20 @@ void dev_load(struct net *net, const char *name)
> >        dev = dev_get_by_name_rcu(net, name);
> >        rcu_read_unlock();
> >
> > -       if (!dev && capable(CAP_NET_ADMIN))
> > -               request_module("%s", name);
> > +       if (!dev && capable(CAP_NET_ADMIN)) {
> > +               /* Check whether the name looks like one that a net
> > +                * driver will generate initially.  If not, require a
> > +                * module alias with a suitable prefix, so that this
> > +                * can't be used to load arbitrary modules.
> > +                */
> > +               if ((strncmp(name, "eth", 3) == 0 &&
> > +                    isdigit((unsigned char)name[3])) ||
> > +                   (strncmp(name, "wlan", 4) == 0 &&
> > +                    isdigit((unsigned char)name[4])))
> > +                       request_module("%s", name);
> > +               else
> > +                       request_module("netdev-%s", name);
> > +       }
> >  }
> >  EXPORT_SYMBOL(dev_load);
> >
> 
> This might be better as:
> 
> if (request_module("netdev-%s", name))
>     ... fallback
> 
> Then after some years the fallback could be removed if announced properly.

The backwards compatibility should mostly be for systems that today don't
use split capabilities, right?

The fallback could therefore rely on CAP_SYS_MODULE as well:

	if (request_module("netdev-%s", name)) {
		if (capable(CAP_SYS_MODULE))
			request_module("%s", name);
	}

Not 100% solution, but should solve the capability escalation nicely without
causing much pain.

	Arnd

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

to post comments


Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds