Expand description
A dirty module-loading library for the Linux kernel.
This abuses Linux modules auto-loading mechanism to trick
the kernel into shelling out to the userspace modprobe
helper.
A side-effect of SIOCGIFINDEX ioctl results in
the kernel looking up and loading arbitrary modules by name.
This isn’t strictly a privilege escalation as the caller must
have CAP_SYS_MODULE capability; however it allows containerized
process to load modules in the host namespace.
This is a dirty mechanism, as the ioctl syscall will induce a context-switch back from kernel-space to user-space to run a host binary outside of caller context.
Typically this results in modprobe being called in the host,
however arbitrary binaries can be run by tweaking the usermode
helper sysctl at /proc/sys/kernel/modprobe.
Functions§
- try_
load - Try to load a host kernel module via the modprobe userspace helper.