OpenE2K
/
linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
linux/net
History
Vasiliy Kulikov 8909c9ad8f net: don't allow CAP_NET_ADMIN to load non-netdev kernel modules 
Since a8f80e8ff9 any process with
CAP_NET_ADMIN may load any module from /lib/modules/.  This doesn't mean
that CAP_NET_ADMIN is a superset of CAP_SYS_MODULE as modules are
limited to /lib/modules/**.  However, CAP_NET_ADMIN capability shouldn't
allow anybody load any module not related to networking.

This patch restricts an ability of autoloading modules to netdev modules
with explicit aliases.  This fixes CVE-2011-1019.

Arnd Bergmann suggested to leave untouched the old pre-v2.6.32 behavior
of loading netdev modules by name (without any prefix) for processes
with CAP_SYS_MODULE to maintain the compatibility with network scripts
that use autoloading netdev modules by aliases like "eth0", "wlan0".

Currently there are only three users of the feature in the upstream
kernel: ipip, ip_gre and sit.

    root@albatros:~# capsh --drop=$(seq -s, 0 11),$(seq -s, 13 34) --
    root@albatros:~# grep Cap /proc/$$/status
    CapInh:	0000000000000000
    CapPrm:	fffffff800001000
    CapEff:	fffffff800001000
    CapBnd:	fffffff800001000
    root@albatros:~# modprobe xfs
    FATAL: Error inserting xfs
    (/lib/modules/2.6.38-rc6-00001-g2bf4ca3/kernel/fs/xfs/xfs.ko): Operation not permitted
    root@albatros:~# lsmod | grep xfs
    root@albatros:~# ifconfig xfs
    xfs: error fetching interface information: Device not found
    root@albatros:~# lsmod | grep xfs
    root@albatros:~# lsmod | grep sit
    root@albatros:~# ifconfig sit
    sit: error fetching interface information: Device not found
    root@albatros:~# lsmod | grep sit
    root@albatros:~# ifconfig sit0
    sit0      Link encap:IPv6-in-IPv4
	      NOARP  MTU:1480  Metric:1

    root@albatros:~# lsmod | grep sit
    sit                    10457  0
    tunnel4                 2957  1 sit

For CAP_SYS_MODULE module loading is still relaxed:

    root@albatros:~# grep Cap /proc/$$/status
    CapInh:	0000000000000000
    CapPrm:	ffffffffffffffff
    CapEff:	ffffffffffffffff
    CapBnd:	ffffffffffffffff
    root@albatros:~# ifconfig xfs
    xfs: error fetching interface information: Device not found
    root@albatros:~# lsmod | grep xfs
    xfs                   745319  0

Reference: https://lkml.org/lkml/2011/2/24/203

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Acked-by: David S. Miller <davem@davemloft.net>
Acked-by: Kees Cook <kees.cook@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
 		2011-03-10 10:25:19 +11:00
..
9p net/9p: Use proper data types 2011-01-11 09:58:07 -06:00
802
8021q
appletalk
atm Merge branch 'for-2.6.38' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq 2011-01-07 16:58:04 -08:00
ax25 net: ax25: fix information leak to userland harder 2011-01-12 00:34:49 -08:00
batman-adv batman-adv: Linearize fragment packets before merge 2011-02-08 00:54:31 +01:00
bluetooth Bluetooth: Release BTM while sleeping to avoid deadlock 2011-02-16 15:54:11 -03:00
bridge bridge: Use IPv6 link-local address for multicast listener queries 2011-02-22 10:07:29 -08:00
caif net/caif: Fix dangling list pointer in freed object on error. 2011-02-08 14:31:31 -08:00
can can: test size of struct sockaddr in sendmsg 2011-01-15 20:56:42 -08:00
ceph libceph: fix msgr standby handling 2011-03-04 12:25:05 -08:00
core net: don't allow CAP_NET_ADMIN to load non-netdev kernel modules 2011-03-10 10:25:19 +11:00
dcb net: dcbnl: check correct ops in dcbnl_ieee_set() 2011-03-02 15:04:33 -08:00
dccp dccp: fix oops on Reset after close 2011-03-01 23:02:07 -08:00
decnet Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-01-13 10:05:56 -08:00
dns_resolver DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076] 2011-03-04 09:56:19 +11:00
dsa module: fix missing semicolons in MODULE macro usage 2011-01-24 14:32:54 +10:30
econet econet: remove compiler warnings 2011-01-27 14:15:54 -08:00
ethernet eth: fix new kernel-doc warning 2011-01-12 19:00:40 -08:00
ieee802154
ipv4 net: don't allow CAP_NET_ADMIN to load non-netdev kernel modules 2011-03-10 10:25:19 +11:00
ipv6 net: don't allow CAP_NET_ADMIN to load non-netdev kernel modules 2011-03-10 10:25:19 +11:00
ipx
irda Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-12-26 22:37:05 -08:00
iucv [S390] irq: have detailed statistics for interrupt types 2011-01-05 12:47:25 +01:00
key
l2tp
lapb
llc
mac80211 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2011-02-22 11:53:05 -08:00
netfilter netfilter: nf_log: avoid oops in (un)bind with invalid nfproto values 2011-03-02 12:10:13 +01:00
netlabel net: kill unused macros 2010-12-19 21:59:35 -08:00
netlink netlink: handle errors from netlink_dump() 2011-02-28 12:18:12 -08:00
netrom
packet net: Use skb_checksum_start_offset() 2010-12-16 14:43:14 -08:00
phonet phonet: some signedness bugs 2011-01-10 13:33:17 -08:00
rds
rfkill kconfig: rename CONFIG_EMBEDDED to CONFIG_EXPERT 2011-01-20 17:02:05 -08:00
rose
rxrpc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2011-03-03 15:43:15 -08:00
sched net: Fix more stale on-stack list_head objects. 2011-02-20 11:49:45 -08:00
sctp sctp: fix reporting of unknown parameters 2011-02-19 19:06:55 -08:00
sunrpc NFS do not find client in NFSv4 pg_authenticate 2011-01-25 15:26:51 -05:00
tipc tipc: update log.h re-include protection to reflect new name 2011-01-01 14:56:18 -08:00
unix af_unix: Avoid socket->sk NULL OOPS in stream connect security hooks. 2011-01-05 15:38:53 -08:00
wanrouter
wimax
wireless Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2011-02-22 11:53:05 -08:00
x25 x25: Do not reference freed memory. 2011-02-09 22:36:13 -08:00
xfrm xfrm: avoid possible oopse in xfrm_alloc_dst 2011-02-10 23:08:33 -08:00
Kconfig Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-01-13 10:05:56 -08:00
Makefile net: Add batman-adv meshing protocol 2010-12-16 13:44:24 -08:00
TUNABLE
compat.c
nonet.c
socket.c pass default dentry_operations to mount_pseudo() 2011-01-12 20:03:43 -05:00
sysctl_net.c