lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 28 Nov 2017 16:50:09 -0800
From:   Linus Torvalds <torvalds@...ux-foundation.org>
To:     Kees Cook <keescook@...omium.org>
Cc:     Geo Kozey <geokozey@...lfence.com>,
        LSM List <linux-security-module@...r.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        "kernel-hardening@...ts.openwall.com" 
        <kernel-hardening@...ts.openwall.com>
Subject: Re: [kernel-hardening] Re: [PATCH v5 next 5/5] net: modules: use
 request_module_cap() to load 'netdev-%s' modules

On Tue, Nov 28, 2017 at 4:26 PM, Kees Cook <keescook@...omium.org> wrote:
>
>> The model that I am a proponent of is to take a softer approach
>> initially: don't forbid module loading (because that breaks users),
>> but instead _warn_ about non-root module loading. And then we can
>> start fixing the cases that we find.
>
> I am totally fine with this. The question I'm hoping to have answered
> is, "then what?" We already have concrete examples of module
> autoloading that will still be need to stay unprivileged and as-is in
> the kernel (even if we remove others). What do you see as the way to
> allow an admin to turn those off?

Just thinking about the DCCP case, where networking people actually
knew it was pretty deprecated and had no real maintainer, I think one
thing to look at would be simply a per-module flag.

That kind of thing should be fairly easy to implement, along the same
lines as the module license - it just sets a flag in the ELF section
headers.

With something like that, we literally could make the default be "no
autoloading except for root", and then just mark the modules that we
think are ok and well maintained.

Sure, if you then do a lock-down mode that makes that flag parsing
stricter, then that's a separate thing. But I suspect we definitely
could be a lot stricter on a per-module basis, and do it in a way
where a normal user wouldn't even notice that we've limited the
autoloading.

But the first step would be to just add some noise. And even with the
per-module flag, at first it would only suppress the noise (ie we'd
still _allow_ loading other modules, they'd just be noisy). Then, if
nobody hollers, maybe the next kernel release we'll make it actually
enforce the flag.

Does that sound reasonable?

               Linus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ