Bug#888952: nvidia-driver and opencl
Hiromasa YOSHIMOTO
hiromasa.yoshimoto at gmail.com
Tue Feb 6 12:13:40 UTC 2018
Dear andreas,
Thank you for your information. I've just checked CAP_SYS_MODULE capability.
First, EPERM is returned by finit_module syscall. It is defined
in linux-4.14/kernel/module.c and checks CAP_SYS_MODULE as below;
static int may_init_module(void)
{
if (!capable(CAP_SYS_MODULE) || modules_disabled)
return -EPERM;
return 0;
}
So, I think the required capability is CAP_SYS_MODULE only.
Next, I checked when and where CAP_SYS_MODULE is lost.
I added the code below to both nvidia-modprobe and /sbin/insmod
(/bin/kmod),
which is used called by nvidia-modprobe internally.
cap_t cap = cap_get_proc();
cap_get_flag(cap, CAP_SYS_MODULE, CAP_SET, &value);
fprintf(stderr, "CAP_SYS_MODULE: %d\n", (CAP_SET == value));
cap_free(cap);
From my observations, setuid nvidia-modprobe has CAP_SYS_MODULE already;
additional capability was not needed for nvidia-modprobe.
However, the capability is lost in /bin/kmod.
I'm trying some tricks below, but still struggling.
- /sbin/setcap cap_sys_module+eip nvidia-modprobe
- Added prctl(PR_SET_KEEPCAPS,1) to nvidia-modprobe
Best,
Hiromasa YOSHIMOTO
More information about the pkg-nvidia-devel
mailing list