On Thu, Mar 8, 2018 at 5:38 PM, Linus Torvalds <torva...@linux-foundation.org> wrote: > On Thu, Mar 8, 2018 at 4:59 PM, Andy Lutomirski <l...@amacapital.net> wrote: >> >> Also, I don't see how this is any more exploitable than any other >> init_module(). > > Absolutely. If Kees doesn't trust the files to be loaded, an > executable - even if it's running with root privileges and in the > initns - is still fundamentally weaker than a kernel module. > > So I don't understand the security argument AT ALL. It's nonsensical. > The executable loading does all the same security checks that the > module loading does, including the signing check. > > And the whole point is that we can now do things with building and > loading a ebpf rule instead of having a full module.
My concerns are mostly about crossing namespaces. If a container triggers an autoload, the result runs in the init_ns. So, really, there's nothing new from my perspective, except that it's in userspace instead of in the kernel. Perhaps it's an orthogonal concern. -Kees -- Kees Cook Pixel Security
