Re: [PATCH] don't allow CAP_NET_ADMIN to load non-netdev kernel modules

From: Valdis . Kletnieks
Date: Fri Feb 25 2011 - 12:28:45 EST

On Fri, 25 Feb 2011 18:14:14 +0300, Vasiliy Kulikov said:
> Since a8f80e8ff94ecba629542d9b4b5f5a8ee3eb565c any process with
> CAP_NET_ADMIN may load any module from /lib/modules/. This doesn't mean
> that CAP_NET_ADMIN is a superset of CAP_SYS_MODULE as modules are limited
> to /lib/modules/**. However, CAP_NET_ADMIN capability shouldn't allow
> anybody load any module not related to networking.
> This patch restricts an ability of autoloading modules to netdev modules
> with explicit aliases. Currently there are only three users of the
> feature: ipip, ip_gre and sit.

And you stop an attacker from simply recompiling the module with a suitable
MODULE_ALIAS line added, how, exactly? This patch may make sense down the
road, but not while it's still trivial for a malicious root user to drop stuff
into /lib/modules.

And if you're going the route "but SELinux/SMACK/Tomoyo will prevent a malicious
root user from doing that", then the obvious reply is "this should be part of those
subsystems rather than something done one-off like this (especially as it has a chance
of breaking legitimate setups that use the current scheme).

Attachment: pgp00000.pgp
Description: PGP signature