root and capabilities list

Colin Watson cjwatson at
Wed Oct 15 00:54:49 UTC 2014

On Tue, Oct 14, 2014 at 10:44:26PM +0400, ds wrote:
> On 14.10.2014 22:37, Martin Pitt wrote:
> >Note that at least CAP_SYS_MODULE is equivalent to root (as you can
> >load any local .ko which can then provide you with a backdoor into
> >the kernel),
> I guess you have to put the .ko file at a protected place of
> filesystem for it to get loaded.

No, the init_module(2) syscall takes the module image as a buffer in
memory, and you can use that syscall if you have CAP_SYS_MODULE.

> And maybe it would even require recompiling kernel with your .ko in
> mind.

It is very unlikely that one would not be able to find some way to
escalate to root given the ability to construct an arbitrary kernel
module, without needing to recompile the kernel.  In general, once an
attacker can load kernel modules, you've already lost.  Martin's right -
CAP_SYS_MODULE is functionally equivalent to root.

Colin Watson                                       [cjwatson at]

More information about the Ubuntu-devel-discuss mailing list