On Mon, May 22, 2017 at 03:49:15PM +0200, Djalal Harouni wrote: > On Mon, May 22, 2017 at 2:08 PM, Solar Designer <solar@xxxxxxxxxxxx> wrote: > > On Mon, May 22, 2017 at 01:57:03PM +0200, Djalal Harouni wrote: > >> *) When modules_autoload_mode is set to (2), automatic module loading is > >> disabled for all. Once set, this value can not be changed. > > > > What purpose does this securelevel-like property ("Once set, this value > > can not be changed.") serve here? I think this mode 2 is needed, but > > without this extra property, which is bypassable by e.g. explicitly > > loaded kernel modules anyway (and that's OK). > > My reasoning about "Once set, this value can not be changed" is mainly for: > > If you have some systems where modules are not updated for any given > reason, then the only one who will be able to load a module is an > administrator, basically this is a shortcut for: > > * Apps/services can run with CAP_NET_ADMIN but they are not allowed to > auto-load 'netdev' modules. > > * Explicitly loading modules can be guarded by seccomp filters *per* > app, so even if these apps have > CAP_SYS_MODULE they won't be able to explicitly load modules, one > has to remount some sysctl /proc/ entries read-only here and remove > CAP_SYS_ADMIN for all apps anyway. > > This mainly serves the purpose of these systems that do not receive > updates, if I don't want to expose those kernel interfaces what should > I do ? then if I want to unload old versions and replace them with new > ones what operation should be allowed ? and only real root of the > system can do it. Hence, the "Once set, this value can not be changed" > is more of a shortcut, also the idea was put in my mind based on how > "modules_disabled" is disabled forever, and some other interfaces. I > would say: it is easy to handle a transition from 1) "hey this system > is still up to date, some features should be exposed" to 2) "this > system is not up to date anymore, only root should expose some > features..." > > Hmm, I am not sure if this answers your question ? :-) This answers my question, but in a way that I summarize as "there's no good reason to include this securelevel-like property". > I definitively don't want to fall into "modules_disabled" trap where > is it too strict! "Once set, this value can not be changed" means for > some users do not set it otherwise the system is unusable... > > Maybe an extra "4" mode for that ? better get it right. I think you should simply exclude this property from mode 2. The module autoloading restrictions aren't meant to reduce root's powers; they're only meant to protect processes from shooting themselves and the system in the foot inadvertently (confused deputy). modules_disabled may be different in that respect, although with the rest of the kernel lacking securelevel-like support the point is moot. We had working securelevel in 2.0.34 through 2.0.40 inclusive, but we've lost it in 2.1+ with cap-bound apparently never becoming as complete a replacement for it and having been lost/broken further in 2.6.25+. I regret this, but that's a different story. Like I say, module autoloading doesn't even fit in with those restrictions - it's about a totally different threat model. Alexander -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html