Re: [PATCH v2] net: don't allow CAP_NET_ADMIN to load non-netdevkernel modules

From: Serge E. Hallyn
Date: Thu Mar 24 2011 - 17:58:54 EST


Quoting David Miller (davem@xxxxxxxxxxxxx):
> From: Stephen Hemminger <shemminger@xxxxxxxxxx>
> Date: Thu, 24 Mar 2011 14:39:44 -0700
>
> > This breaks for many of the tunneling protocols, that rely on
> > autoload for names like "sit0"
>
> Frankly I'm very disappointed in the fallout this has been causing.
>
> Everyone supporting this change, get real, and admit it doing in fact
> cause a serious regression.

Sorry, I thought this was causing some extra audit messages but no
actual breakage?

> If you can't get past that simple fact, you cannot discuss this issue
> intelligently.
>
> You can't say "userland will fix things up"
>
> Because we're never supposed to break userland in the first place.
>
> There is simply no excuse for this and I want this change reverted
> both in Linus's tree and in -stable.

Eric, in this particular case, since we've already done a
'capable(CAP_NET_ADMIN)', I woudl argue that doing the check
for CAP_SYS_ADMIN without auditing failure (even if it requires
a new helper in capability.c) isn't horrible. Thoughts?

-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/