Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

public inbox for netdev@vger.kernel.org 
 help / color / mirror / Atom feed

From: "Serge E. Hallyn" <serge@hallyn•com>
To: Theodore Ts'o <tytso@mit•edu>,
	"Serge E. Hallyn" <serge@hallyn•com>,
	David Miller <davem@davemloft•net>,
	gnomes@lxorguk•ukuu.org.uk, keescook@chromium•org,
	mcgrof@kernel•org, tixxdz@gmail•com, luto@kernel•org,
	akpm@linux-foundation•org, james.l.morris@oracle•com,
	ben.hutchings@codethink•co.uk, solar@openwall•com,
	jeyu@kernel•org, rusty@rustcorp•com.au,
	linux-kernel@vger•kernel.org,
	linux-security-module@vger•kernel.org,
	kernel-hardening@lists•openwall.com, corbet@lwn•net,
	mingo@kernel•org, netdev@vger•kernel.org, peterz@infradead•org,
	torvalds@linux-foundation•org
Subject: Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()
Date: Thu, 30 Nov 2017 11:17:51 -0600	[thread overview]
Message-ID: <20171130171751.GA5521@mail.hallyn.com> (raw)
In-Reply-To: <20171130003531.gwpl22bxmweifjz2@thunk.org>

On Wed, Nov 29, 2017 at 07:35:31PM -0500, Theodore Ts'o wrote:
> On Wed, Nov 29, 2017 at 11:28:52AM -0600, Serge E. Hallyn wrote:
> > 
> > Just to be clear, module loading requires - and must always continue to
> > require - CAP_SYS_MODULE against the initial user namespace.  Containers
> > in user namespaces do not have that.
> > 
> > I don't believe anyone has ever claimed that containers which are not in
> > a user namespace are in any way secure.
> 
> Unless the container performs some action which causes the kernel to
> call request_module(), which then loads some kernel module,

A local unprivileged user can do the same thing.  I reject the popular
notion that linux is a single user operating system.  More interesting
are the (very real) cases where root in a container can do something
which a local unprivileged user could not do.  Since a local unprivileged
user can always create a new namespace, *those* constitute a real and
interesting problem.

> potentially containing cr*p unmaintained code which was included when
> the distro compiled the world, into the host kernel.

> This is an attack vector that doesn't exist if you are using VM's.

Until the vm tenant uses a trivial vm escape.

> And in general, the attack surface of the entire Linux
> kernel<->userspace API is far larger than that which is exposed by the
> guest<->host interface.
> 
> For that reason, containers are *far* more insecure than VM's, since
> once the attacker gets root on the guest VM, they then have to attack
> the hypervisor interface.  And if you compare the attack surface of
> the two, it's pretty clear which is larger, and it's not the
> hypervisor interface.

Any time anyone spends a day looking at either the black hole that is
the hardware emulators or the xen and kvm code itself they walk away
with a set of cve's.  It *should* be more secure, it's not.  You're
telling me your house is safe because you put up a no tresspassing
sign.

-serge

next prev parent reply	other threads:[~2017-11-30 17:17 UTC|newest]

Thread overview: 49+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-11-27 17:18 [PATCH v5 next 0/5] Improve Module autoloading infrastructure Djalal Harouni
2017-11-27 17:18 ` [PATCH v5 next 1/5] modules:capabilities: add request_module_cap() Djalal Harouni
2017-11-27 18:48   ` Randy Dunlap
2017-11-27 21:35     ` Djalal Harouni
2017-11-28 19:14   ` Luis R. Rodriguez
2017-11-28 20:11     ` Kees Cook
2017-11-28 21:16       ` Luis R. Rodriguez
2017-11-28 21:33         ` Djalal Harouni
2017-11-28 22:18           ` Luis R. Rodriguez
2017-11-28 22:52             ` Djalal Harouni
2017-11-28 21:39         ` Kees Cook
2017-11-28 22:12           ` Luis R. Rodriguez
2017-11-28 22:18             ` Kees Cook
2017-11-28 22:48               ` Luis R. Rodriguez
2017-11-29  7:49                 ` Michal Kubecek
2017-11-29 13:46           ` Alan Cox
2017-11-29 14:50             ` David Miller
2017-11-29 15:54               ` Theodore Ts'o
2017-11-29 15:58                 ` David Miller
2017-11-29 16:29                   ` Theodore Ts'o
2017-11-29 22:45                   ` Linus Torvalds
2017-11-30  0:06                     ` Kees Cook
2017-11-29 17:28                 ` Serge E. Hallyn
2017-11-30  0:35                   ` Theodore Ts'o
2017-11-30 17:17                     ` Serge E. Hallyn [this message]
2017-11-28 20:18     ` Djalal Harouni
2017-11-27 17:18 ` [PATCH v5 next 2/5] modules:capabilities: add cap_kernel_module_request() permission check Djalal Harouni
2017-11-30  2:05   ` Luis R. Rodriguez
2017-11-27 17:18 ` [PATCH v5 next 3/5] modules:capabilities: automatic module loading restriction Djalal Harouni
2017-11-30  1:23   ` Luis R. Rodriguez
2017-11-30 12:22     ` Djalal Harouni
2017-11-27 17:18 ` [PATCH v5 next 4/5] modules:capabilities: add a per-task modules auto-load mode Djalal Harouni
2017-11-27 17:18 ` [PATCH v5 next 5/5] net: modules: use request_module_cap() to load 'netdev-%s' modules Djalal Harouni
2017-11-27 18:44   ` Linus Torvalds
2017-11-27 21:41     ` Djalal Harouni
2017-11-27 22:04       ` Linus Torvalds
2017-11-27 22:59         ` Kees Cook
2017-11-27 23:14           ` Linus Torvalds
2017-11-27 23:19             ` Kees Cook
2017-11-27 23:35               ` Linus Torvalds
2017-11-28  1:23             ` Kees Cook
2017-11-27 18:41 ` [PATCH v5 next 0/5] Improve Module autoloading infrastructure Linus Torvalds
2017-11-27 19:02   ` Linus Torvalds
2017-11-27 19:12     ` Linus Torvalds
2017-11-27 21:31       ` Djalal Harouni
2017-11-27 19:14   ` David Miller
2017-11-27 22:31     ` James Morris
2017-11-27 23:04       ` Kees Cook
2017-11-27 23:44         ` James Morris

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171130171751.GA5521@mail.hallyn.com \
    --to=serge@hallyn$(echo .)com \
    --cc=akpm@linux-foundation$(echo .)org \
    --cc=ben.hutchings@codethink$(echo .)co.uk \
    --cc=corbet@lwn$(echo .)net \
    --cc=davem@davemloft$(echo .)net \
    --cc=gnomes@lxorguk$(echo .)ukuu.org.uk \
    --cc=james.l.morris@oracle$(echo .)com \
    --cc=jeyu@kernel$(echo .)org \
    --cc=keescook@chromium$(echo .)org \
    --cc=kernel-hardening@lists$(echo .)openwall.com \
    --cc=linux-kernel@vger$(echo .)kernel.org \
    --cc=linux-security-module@vger$(echo .)kernel.org \
    --cc=luto@kernel$(echo .)org \
    --cc=mcgrof@kernel$(echo .)org \
    --cc=mingo@kernel$(echo .)org \
    --cc=netdev@vger$(echo .)kernel.org \
    --cc=peterz@infradead$(echo .)org \
    --cc=rusty@rustcorp$(echo .)com.au \
    --cc=solar@openwall$(echo .)com \
    --cc=tixxdz@gmail$(echo .)com \
    --cc=torvalds@linux-foundation$(echo .)org \
    --cc=tytso@mit$(echo .)edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox