On Thu, Mar 8, 2018 at 9:08 PM, Alexei Starovoitov <ast@xxxxxx> wrote:
>
> there is not abi breakage and file cannot disappear from running task.
> One cannot umount fs while file is still being used.
I think that "cannot umount" part _is_ the ABI breakage that Andy is
talking about.
> Not only "read twice", but "read many".
> If .text sections of elf that are not yet in memory can be modified
> by malicious user, later they will be brought in with different code.
> I think the easiest fix to tighten this "umh modules" to CAP_SYS_ADMIN.
I don't think it actually fixes anything. It might just break things.
For all we know, people run modprobe with CAP_SYS_MODULE only, since
that is obviously the only capability it needs.
Hmm. I wish we had an "execute blob" model, but we really don't, and
it would be hard/impossible to do without pinning the pages in memory.
My gut feel is that the right direction to explore is:
- consider the module loaded for the whole duration of the execve. So
the execution is a *blocking* operation (and we get the correct
exclusion semantics)
- use deny_write_access() to make sure that we don't have active
writers and cannot get them during the execve.
The above mean that something that executes to load a new ebpf rule
will work very well. But a "start and forget" will not work (although
you can obviously do so with a internal fork/exec).
Hmm?
Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-api" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
