user ns: arbitrary module loading

From: Kees Cook
Date: Fri Mar 01 2013 - 20:22:48 EST

Next message: Linus Torvalds: "Re: [RFC PATCH 0/2] ipc: do not hold ipc lock more than necessary"
Previous message: Benson Leung: "[PATCH 1/2] Input: atmel_mxt_ts - add device id for touchpad variant"
Next in thread: Serge E. Hallyn: "Re: user ns: arbitrary module loading"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The rearranging done for user ns has resulted in allowing arbitrary
kernel module loading[1] (i.e. re-introducing a form of CVE-2011-1019)
by what is assumed to be an unprivileged process.

At present, it does look to require at least CAP_SETUID along the way
to set up the uidmap (but things like the setuid helper newuidmap
might soon start providing such a thing by default).

It might be worth examining GRKERNSEC_MODHARDEN in grsecurity, which
examines module symbols to verify that request_module() for a
filesystem only loads a module that defines "register_filesystem"
(among other things).

-Kees

[1] https://twitter.com/grsecurity/status/307473816672665600

--
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Linus Torvalds: "Re: [RFC PATCH 0/2] ipc: do not hold ipc lock more than necessary"
Previous message: Benson Leung: "[PATCH 1/2] Input: atmel_mxt_ts - add device id for touchpad variant"
Next in thread: Serge E. Hallyn: "Re: user ns: arbitrary module loading"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]