Re: [PATCH net-next] modules: allow modprobe load regular elf binaries
From: Linus Torvalds
Date: Fri Mar 09 2018 - 13:18:03 EST
On Thu, Mar 8, 2018 at 9:08 PM, Alexei Starovoitov <ast@xxxxxx> wrote:
>
> there is not abi breakage and file cannot disappear from running task.
> One cannot umount fs while file is still being used.
I think that "cannot umount" part _is_ the ABI breakage that Andy is
talking about.
> Not only "read twice", but "read many".
> If .text sections of elf that are not yet in memory can be modified
> by malicious user, later they will be brought in with different code.
> I think the easiest fix to tighten this "umh modules" to CAP_SYS_ADMIN.
I don't think it actually fixes anything. It might just break things.
For all we know, people run modprobe with CAP_SYS_MODULE only, since
that is obviously the only capability it needs.
Hmm. I wish we had an "execute blob" model, but we really don't, and
it would be hard/impossible to do without pinning the pages in memory.
My gut feel is that the right direction to explore is:
- consider the module loaded for the whole duration of the execve. So
the execution is a *blocking* operation (and we get the correct
exclusion semantics)
- use deny_write_access() to make sure that we don't have active
writers and cannot get them during the execve.
The above mean that something that executes to load a new ebpf rule
will work very well. But a "start and forget" will not work (although
you can obviously do so with a internal fork/exec).
Hmm?
Linus