On Sat, Apr 22, 2017 at 1:51 AM, Andy Lutomirski <luto@xxxxxxxxxx> wrote: [...] >>> I personally like my implicit_rights idea, and it might be interesting >>> to prototype it. >> >> I don't like blocking a needed feature behind a large super-feature >> that doesn't exist yet. We'd be able to refactor this code into using >> such a thing in the future, so I'd prefer to move ahead with this >> since it would stop actual exploits. > > I don't think the super-feature is so hard, and I think we should not > add the per-task thing the way it's done in this patch. Let's not add > per-task things where the best argument for their security is "not > sure how it would be exploited". Actually the XFRM framework CVE-2017-7184 [1] is one real example, of course there are others. The exploit was used on a generic distro during a security contest that distro is Ubuntu. That distro will never provide a module autoloading restriction by default to not harm it's users. Consumers or containers/sandboxes then can run their confined apps using such facilities. These bugs will stay in embedded devices that use these generic distros for ever. > Anyway, I think the sysctl is really the important bit. The per-task > setting is icing on the cake IMO. One upon a time autoload was more > important, but these days modaliases are supposed to do most of the > work. I bet that modern distros don't need unprivileged autoload at > all. Actually I think they do and we can't just change that. Users may depend on it, it is a well established facility. Now the other problem is CAP_NET_ADMIN which does lot of things, it is more like the CAP_SYS_ADMIN. This is a quick list that I got from only the past months, I'm pretty sure there are more: * DCCP use after free CVE-2017-6074 * n_hldc CVE-2017-2636 * XFRM framework CVE-2017-7184 * L2TPv3 CVE-2016-10200 Most of these need CAP_NET_ADMIN to be autoloaded, however we also need CAP_NET_ADMIN for other things... therefore it is better to have an extra facility that could coexist with CAP_NET_ADMIN and other sandbox features. [1] http://www.openwall.com/lists/oss-security/2017/03/29/2 -- tixxdz -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html