tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: kernel module loading vs securelevel



On Sun, 17 Oct 2010, Izumi Tsutsui wrote:

} > I'm just asking if "options INSECURE is mandaory to use autoloading,"
} > not module/autoloading is secure/silly/boo or not.
}
} No.  As far as I can tell, there's a bug in the relevant kauth listener,
} at least in terms of the original intent of the author of the autoloading
} code; the system scope kauth listener should return DEFER, not DENY.

     module_listener_cb() was added to kern_module.c in revision 1.51
by elad.  The kauth_authorize_system() calls were added to
kern_module.c by ad, but the respective commit log messages doesn't say
anything about them, so the original intent of the author of the
autoloading code (ad) is unclear.

The following patch makes autoload works even on securelevel > 0,
but I'm not sure if it's correct and acceptable.
If not, options INSECURE is the only way to enable it..

Based on the discussion regarding the numerous ways in which this could be abused, I would personally vote for requiring INSECURE. At least that way, things are pretty clear. If the proposed patch were used, then you would have only "options MODULAR" in the kernel config file, which is not at all clear about the security of the resulting kernel.



Index: secmodel/securelevel/secmodel_securelevel.c
===================================================================
RCS file: /cvsroot/src/sys/secmodel/securelevel/secmodel_securelevel.c,v
retrieving revision 1.20
diff -u -p -r1.20 secmodel_securelevel.c
--- secmodel/securelevel/secmodel_securelevel.c 7 Oct 2009 01:06:57 -0000       
1.20
+++ secmodel/securelevel/secmodel_securelevel.c 16 Oct 2010 22:15:11 -0000
@@ -254,7 +254,7 @@ secmodel_securelevel_system_cb(kauth_cre
                break;

        case KAUTH_SYSTEM_MODULE:
-               if (securelevel > 0)
+               if ((uintptr_t)arg2 == 0 && securelevel > 0)
                        result = KAUTH_RESULT_DENY;
                break;


---
Izumi Tsutsui

!DSPAM:4cba24f22438312397761!




-------------------------------------------------------------------------
| Paul Goyette     | PGP Key fingerprint:     | E-mail addresses:       |
| Customer Service | FA29 0E3B 35AF E8AE 6651 | paul at whooppee.com    |
| Network Engineer | 0786 F758 55DE 53BA 7731 | pgoyette at juniper.net |
| Kernel Developer |                          | pgoyette at netbsd.org  |
-------------------------------------------------------------------------


Home | Main Index | Thread Index | Old Index