Networking: use CAP_NET_ADMIN when deciding to call request_module

The networking code checks CAP_SYS_MODULE before using request_module() to try to load a kernel module. While this seems reasonable it's actually weakening system security since we have to allow CAP_SYS_MODULE for things like /sbin/ip and bluetoothd which need to be able to trigger module loads. CAP_SYS_MODULE actually grants those binaries the ability to directly load any code into the kernel. We should instead be protecting modprobe and the modules on disk, rather than granting random programs the ability to load code directly into the kernel. Instead we are going to gate those networking checks on CAP_NET_ADMIN which still limits them to root but which does not grant those processes the ability to load arbitrary code into the kernel. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Acked-by: Paul Moore <paul.moore@hp.com> Acked-by: David S. Miller <davem@davemloft.net> Signed-off-by: James Morris <jmorris@namei.org>
author: Eric Paris <eparis@redhat.com> 2009-08-13 09:44:51 -0400
committer: James Morris <jmorris@namei.org> 2009-08-13 21:18:34 -0400
commit: a8f80e8ff94ecba629542d9b4b5f5a8ee3eb565c (patch)
tree: 10394b813c653933f4eb6034c5dc2bd4720cc837
parent: 8b4bfc7feb005d84e2bd0831d8331a304e9d6483 (diff)
3 files changed, 7 insertions, 7 deletions
diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
index 9d7c99394ec6..640f65c6ef84 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -1752,12 +1752,12 @@ static int comedi_open(struct inode *inode, struct file *file)
        mutex_lock(&dev->mutex);
        if (dev->attached)
                goto ok;
-        if (!capable(CAP_SYS_MODULE) && dev->in_request_module) {
+        if (!capable(CAP_NET_ADMIN) && dev->in_request_module) {
                DPRINTK("in request module\n");
                mutex_unlock(&dev->mutex);
                return -ENODEV;
        }
-        if (capable(CAP_SYS_MODULE) && dev->in_request_module)
+        if (capable(CAP_NET_ADMIN) && dev->in_request_module)
                goto ok;
        dev->in_request_module = 1;
@@ -1770,8 +1770,8 @@ static int comedi_open(struct inode *inode, struct file *file)
        dev->in_request_module = 0;
-        if (!dev->attached && !capable(CAP_SYS_MODULE)) {
+        if (!dev->attached && !capable(CAP_NET_ADMIN)) {
-                DPRINTK("not attached and not CAP_SYS_MODULE\n");
+                DPRINTK("not attached and not CAP_NET_ADMIN\n");
                mutex_unlock(&dev->mutex);
                return -ENODEV;
        }
diff --git a/net/core/dev.c b/net/core/dev.c
index 6a94475aee85..278d489aad3b 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1031,7 +1031,7 @@ void dev_load(struct net *net, const char *name)
        dev = __dev_get_by_name(net, name);
        read_unlock(&dev_base_lock);
-        if (!dev && capable(CAP_SYS_MODULE))
+        if (!dev && capable(CAP_NET_ADMIN))
                request_module("%s", name);
 }
diff --git a/net/ipv4/tcp_cong.c b/net/ipv4/tcp_cong.c
index e92beb9e55e0..6428b342b164 100644
--- a/net/ipv4/tcp_cong.c
+++ b/net/ipv4/tcp_cong.c
@@ -116,7 +116,7 @@ int tcp_set_default_congestion_control(const char *name)
        spin_lock(&tcp_cong_list_lock);
        ca = tcp_ca_find(name);
 #ifdef CONFIG_MODULES
-        if (!ca && capable(CAP_SYS_MODULE)) {
+        if (!ca && capable(CAP_NET_ADMIN)) {
                spin_unlock(&tcp_cong_list_lock);
                request_module("tcp_%s", name);
@@ -246,7 +246,7 @@ int tcp_set_congestion_control(struct sock *sk, const char *name)
 #ifdef CONFIG_MODULES
        /* not found attempt to autoload module */
-        if (!ca && capable(CAP_SYS_MODULE)) {
+        if (!ca && capable(CAP_NET_ADMIN)) {
                rcu_read_unlock();
                request_module("tcp_%s", name);
                rcu_read_lock();
author	Eric Paris <eparis@redhat.com>	2009-08-13 09:44:51 -0400
committer	James Morris <jmorris@namei.org>	2009-08-13 21:18:34 -0400
commit	a8f80e8ff94ecba629542d9b4b5f5a8ee3eb565c (patch)
tree	10394b813c653933f4eb6034c5dc2bd4720cc837
parent	8b4bfc7feb005d84e2bd0831d8331a304e9d6483 (diff)

diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c index 9d7c99394ec6..640f65c6ef84 100644 --- a/drivers/staging/comedi/comedi_fops.c +++ b/drivers/staging/comedi/comedi_fops.c
@@ -1752,12 +1752,12 @@ static int comedi_open(struct inode inode, struct file file)
1752	mutex_lock(&dev->mutex);	1752	mutex_lock(&dev->mutex);
1753	if (dev->attached)	1753	if (dev->attached)
1754	goto ok;	1754	goto ok;
1755	if (!capable(CAP_SYS_MODULE) && dev->in_request_module) {	1755	if (!capable(CAP_NET_ADMIN) && dev->in_request_module) {
1756	DPRINTK("in request module\n");	1756	DPRINTK("in request module\n");
1757	mutex_unlock(&dev->mutex);	1757	mutex_unlock(&dev->mutex);
1758	return -ENODEV;	1758	return -ENODEV;
1759	}	1759	}
1760	if (capable(CAP_SYS_MODULE) && dev->in_request_module)	1760	if (capable(CAP_NET_ADMIN) && dev->in_request_module)
1761	goto ok;	1761	goto ok;
1762		1762
1763	dev->in_request_module = 1;	1763	dev->in_request_module = 1;
@@ -1770,8 +1770,8 @@ static int comedi_open(struct inode inode, struct file file)
1770		1770
1771	dev->in_request_module = 0;	1771	dev->in_request_module = 0;
1772		1772
1773	if (!dev->attached && !capable(CAP_SYS_MODULE)) {	1773	if (!dev->attached && !capable(CAP_NET_ADMIN)) {
1774	DPRINTK("not attached and not CAP_SYS_MODULE\n");	1774	DPRINTK("not attached and not CAP_NET_ADMIN\n");
1775	mutex_unlock(&dev->mutex);	1775	mutex_unlock(&dev->mutex);
1776	return -ENODEV;	1776	return -ENODEV;
1777	}	1777	}


diff --git a/net/core/dev.c b/net/core/dev.c index 6a94475aee85..278d489aad3b 100644 --- a/net/core/dev.c +++ b/net/core/dev.c
@@ -1031,7 +1031,7 @@ void dev_load(struct net net, const char name)
1031	dev = __dev_get_by_name(net, name);	1031	dev = __dev_get_by_name(net, name);
1032	read_unlock(&dev_base_lock);	1032	read_unlock(&dev_base_lock);
1033		1033
1034	if (!dev && capable(CAP_SYS_MODULE))	1034	if (!dev && capable(CAP_NET_ADMIN))
1035	request_module("%s", name);	1035	request_module("%s", name);
1036	}	1036	}
1037		1037


diff --git a/net/ipv4/tcp_cong.c b/net/ipv4/tcp_cong.c index e92beb9e55e0..6428b342b164 100644 --- a/net/ipv4/tcp_cong.c +++ b/net/ipv4/tcp_cong.c
@@ -116,7 +116,7 @@ int tcp_set_default_congestion_control(const char *name)
116	spin_lock(&tcp_cong_list_lock);	116	spin_lock(&tcp_cong_list_lock);
117	ca = tcp_ca_find(name);	117	ca = tcp_ca_find(name);
118	#ifdef CONFIG_MODULES	118	#ifdef CONFIG_MODULES
119	if (!ca && capable(CAP_SYS_MODULE)) {	119	if (!ca && capable(CAP_NET_ADMIN)) {
120	spin_unlock(&tcp_cong_list_lock);	120	spin_unlock(&tcp_cong_list_lock);
121		121
122	request_module("tcp_%s", name);	122	request_module("tcp_%s", name);
@@ -246,7 +246,7 @@ int tcp_set_congestion_control(struct sock sk, const char name)
246		246
247	#ifdef CONFIG_MODULES	247	#ifdef CONFIG_MODULES
248	/* not found attempt to autoload module */	248	/* not found attempt to autoload module */
249	if (!ca && capable(CAP_SYS_MODULE)) {	249	if (!ca && capable(CAP_NET_ADMIN)) {
250	rcu_read_unlock();	250	rcu_read_unlock();
251	request_module("tcp_%s", name);	251	request_module("tcp_%s", name);
252	rcu_read_lock();	252	rcu_read_lock();