Re: [PATCH 1/4] module: add syscall to load module from fd

[H. Peter Anvin]

On 10/18/2012 08:28 AM, Kees Cook wrote:
> The goal for finit_module is to make sure we're getting what's on the
> filesystem, not an arbitrary blob, so we can reason about it for
> security policy.

Yes, I get that... although I'm starting to think that that might 
actually be a really bad idea.

> > was confused about the functioning of the *current* init_module() system
> > call.
> >
> > Given that, I have to say I now seriously question the value of
> > finit_module().  The kernel can trivially discover if the pointed-to memory
> > area is a MAP_SHARED mmap() of a file descriptor and if so which file
> > descriptor... why can't we handle this behind the scenes?
>
> This makes me very nervous. I worry that it adds needless complexity
> (it'd be many more checks besides "is it MAP_SHARED?", like "does the
> memory region show the whole file?" "is the offset zero?" etc). Also
> are we sure the memory area would be truly be unmodifiable in the case
> where the filesystem is read-only?

You may need to check for PROT_READONLY as well.

	-hpa

--
H. Peter Anvin, Intel Open Source Technology Center
I work for Intel.  I don't speak on their behalf.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/