Re: [RFC/PATCH 2/3] security: Add the Timgad module
From: James Morris
Date: Thu Feb 02 2017 - 20:04:11 EST
On Thu, 2 Feb 2017, Djalal Harouni wrote:
> *) The per-process prctl() settings are:
> prctl(PR_TIMGAD_OPTS, PR_TIGMAD_SET_MOD_RESTRICT, value, 0, 0)
>
> Where value means:
>
> 0 - Classic module load and unload permissions, nothing changes.
>
> 1 - The current process must have CAP_SYS_MODULE to be able to load and
> unload modules. CAP_NET_ADMIN should allow the current process to
> load and unload only netdev aliased modules, not implemented
>
> 2 - Current process can not loaded nor unloaded modules.
>
> *) sysctl interface supports the followin values:
>
> 0 - Classic module load and unload permissions, nothing changes.
>
> 1 - Only privileged processes with CAP_SYS_MODULE should be able to load and
> unload modules.
>
> To be added: processes with CAP_NET_ADMIN should be able to
> load and unload only netdev aliased modules, this is currently not
> supported. Other checks for real root without CAP_SYS_MODULE ? ...
>
> (This should be improved)
>
> 2 - Modules can not be loaded nor unloaded. Once set, this sysctl value
> cannot be changed.
How is this different to just using CAP_SYS_MODULE?
--
James Morris
<jmorris@xxxxxxxxx>