diff options
author | Eric Paris <eparis@redhat.com> | 2011-04-01 17:07:50 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2011-04-04 10:31:04 +1000 |
commit | 17f60a7da150fdd0cfb9756f86a262daa72c835f (patch) | |
tree | 1c5ece75d66bed0766de861cde6eb18ee7ea4cf2 /include | |
parent | cfc64fd91fabed099a4c3df58559f4b7efe9bcce (diff) |
capabilites: allow the application of capability limits to usermode helpers
There is no way to limit the capabilities of usermodehelpers. This problem
reared its head recently when someone complained that any user with
cap_net_admin was able to load arbitrary kernel modules, even though the user
didn't have cap_sys_module. The reason is because the actual load is done by
a usermode helper and those always have the full cap set. This patch addes new
sysctls which allow us to bound the permissions of usermode helpers.
/proc/sys/kernel/usermodehelper/bset
/proc/sys/kernel/usermodehelper/inheritable
You must have CAP_SYS_MODULE and CAP_SETPCAP to change these (changes are
&= ONLY). When the kernel launches a usermodehelper it will do so with these
as the bset and pI.
-v2: make globals static
create spinlock to protect globals
-v3: require both CAP_SETPCAP and CAP_SYS_MODULE
-v4: fix the typo s/CAP_SET_PCAP/CAP_SETPCAP/ because I didn't commit
Signed-off-by: Eric Paris <eparis@redhat.com>
No-objection-from: Serge E. Hallyn <serge.hallyn@canonical.com>
Acked-by: David Howells <dhowells@redhat.com>
Acked-by: Serge E. Hallyn <serge.hallyn@canonical.com>
Acked-by: Andrew G. Morgan <morgan@kernel.org>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/kmod.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/include/linux/kmod.h b/include/linux/kmod.h index 6efd7a78de6..79bb98d7185 100644 --- a/include/linux/kmod.h +++ b/include/linux/kmod.h @@ -24,6 +24,7 @@ #include <linux/errno.h> #include <linux/compiler.h> #include <linux/workqueue.h> +#include <linux/sysctl.h> #define KMOD_PATH_LEN 256 @@ -109,6 +110,8 @@ call_usermodehelper(char *path, char **argv, char **envp, enum umh_wait wait) NULL, NULL, NULL); } +extern struct ctl_table usermodehelper_table[]; + extern void usermodehelper_init(void); extern int usermodehelper_disable(void); |