Re: [Patch] kexec_load: check CAP_SYS_MODULE

From: Eric W. Biederman
Date: Thu Jan 06 2011 - 03:47:23 EST


Amerigo Wang <amwang@xxxxxxxxxx> writes:

> Eric pointed out that kexec_load() actually allows you to
> run any code you want in ring0, this is more like CAP_SYS_MODULE.

Let me get this straight you want to make the permission checks
less stringent by allowing either CAP_SYS_MODULE or CAP_SYS_BOOT?

CAP_SYS_BOOT is the correct capability. Sure you can run any
code but only after rebooting. I don't see how this differs
from any other reboot scenario.

Eric


> Reported-by: Eric Paris <eparis@xxxxxxxxxx>
> Signed-off-by: WANG Cong <amwang@xxxxxxxxxx>
>
> ---
> diff --git a/kernel/kexec.c b/kernel/kexec.c
> index b55045b..c30d613 100644
> --- a/kernel/kexec.c
> +++ b/kernel/kexec.c
> @@ -945,7 +945,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
> int result;
>
> /* We only trust the superuser with rebooting the system. */
> - if (!capable(CAP_SYS_BOOT))
> + if (!capable(CAP_SYS_BOOT) || !capable(CAP_SYS_MODULE))
> return -EPERM;
>
> /*
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/