Re: [PATCH v2] net: don't allow CAP_NET_ADMIN to load non-netdevkernel modules

[Vasiliy Kulikov]

On Thu, Mar 24, 2011 at 14:46 -0700, David Miller wrote:
> You can't say "userland will fix things up"
> 
> Because we're never supposed to break userland in the first place.

I admit that the patch breaks things.

But the thing is that kernel changes _are_ breaking userspace here and
there, not only by such obvious policy changes, but by indirect changes.
Note that the patch that changed CAP_SYS_MODULE to CAP_NET_ADMIN has
broken userspace behavior too - one could load modules with
CAP_SYS_MODULE without CAP_NET_ADMIN via "ifconfig wifi0" and after the
patch it could not.

Look at this patch:
http://patchwork.ozlabs.org/patch/42148/

It breaks userspace tools too - one might run LSM in learning mode to
create a profile for netfilter configuring, saw it didn't need any CAP_*
and totally denied them in the profile.  After many years (the bug was
fixed after 5+ years!) of good work it was broken by the patch.  The same
with plenty of patches that introduce different checks in places where
there were no permission checks at all or these checks were broken.

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/