[Patch] kexec_load: check CAP_SYS_MODULE
Eric W. Biederman
ebiederm at xmission.com
Fri Jan 7 15:10:44 EST 2011
Eric Paris <eparis at parisplace.org> writes:
> On Thu, Jan 6, 2011 at 3:47 AM, Eric W. Biederman <ebiederm at xmission.com> wrote:
>> Amerigo Wang <amwang at redhat.com> writes:
>>> Eric pointed out that kexec_load() actually allows you to
>>> run any code you want in ring0, this is more like CAP_SYS_MODULE.
>> Let me get this straight you want to make the permission checks
>> less stringent by allowing either CAP_SYS_MODULE or CAP_SYS_BOOT?
> Nope, read my patch again. It actually requires BOTH of them.
Ah right. Testing the negative and going to -EPERM.
>> CAP_SYS_BOOT is the correct capability. Sure you can run any
>> code but only after rebooting. I don't see how this differs
>> from any other reboot scenario.
> The difference is that after a reboot the bootloader and the system
> control what code is run. kexec_load() immediately runs the new
> kernel which is not controlled by the bootloader or by the system.
> Imagine a situation where the bootloader and the /boot directory are
> RO (enforced by hardware). kexec_load() would let you run any kernel
> code you want on the box whereas reboot would not.
The scenario is imaginable (not common but imaginable) but I don't see
how requiring CAP_SYS_MODULE makes anything better.
If I was building a configuration where I didn't want anyone to be able
to direct the kernel into a different state by locking down the
bootloaders I expect I would compile out the syscall as well.
Most bootloaders have the option of booting something else the mechanism
is just different. I really don't see what the addition of
CAP_SYS_MODULE gains you.
Right now CAP_SYS_BOOT still makes sense to me and CAP_SYS_MODULE stills
seems like nonsense in this context.
More information about the kexec