| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 24 Jul 2015 09:48:01 +0200 From: Willy Tarreau <w@....eu> To: Kees Cook <keescook@...omium.org> Cc: Andy Lutomirski <luto@...capital.net>, Andy Lutomirski <luto@...nel.org>, Peter Zijlstra <peterz@...radead.org>, Steven Rostedt <rostedt@...dmis.org>, "security@...nel.org" <security@...nel.org>, X86 ML <x86@...nel.org>, Borislav Petkov <bp@...en8.de>, Sasha Levin <sasha.levin@...cle.com>, LKML <linux-kernel@...r.kernel.org>, Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>, Boris Ostrovsky <boris.ostrovsky@...cle.com>, Andrew Cooper <andrew.cooper3@...rix.com>, Jan Beulich <jbeulich@...e.com>, xen-devel <xen-devel@...ts.xen.org> Subject: Re: [PATCH v3 2/3] x86/ldt: Make modify_ldt optional On Fri, Jul 24, 2015 at 09:24:51AM +0200, Willy Tarreau wrote: > On Thu, Jul 23, 2015 at 05:09:21PM -0700, Kees Cook wrote: > > > All this to say that probably only a handful of tricky syscalls would > > > need an on/off switch but clearly not all of them at all, so I'd rather > > > add a few entries just for the relevant ones, mainly to fix compatibility > > > issues and nothing more. Eg: what's the point of disabling exit(), wait(), > > > kill(), fork() or getpid()... It would only increase the difficulty to > > > sort out bug reports. > > > > > > Just my opinion, > > > > Well, I would really like to have something like this around so that I > > can trivially globally disable syscalls when they have security risks. > > I understand, but while maybe it could make sense to have the option on > any linux-specific syscall, having it on the standard, portable ones > will be useless as disabling them will break most applications. > > > My hack[1] to disable kexec_load, for example, was terrible while I > > waited for a kernel that supported the disable_kexec_load sysctl. > > This typically is one linux-specific syscall which no regular application > would rely on and which can come with side effects. I think there are not > *that* many, none of them is performance-critical, and they'd rather be > dealt with one at a time. Looking at syscall_64.tbl, I'm seeing that the first ~133 syscalls have no reason for being disabled if we don't want to break portable applications, with the exception of ptrace I guess. Past this, things like uselib, personality, sysfs, prctl etc... could be disabled. There are still some exceptions in this area but I don't see them as critical if someone would accidently disable them (eg: getpriority, mlock, ...). Others like chroot, setrlimit, adjtimex, settimeofday, mount, umount, time need to be kept. And a few ones like sync or sethostname would be nice to have optional in order to lock down a system at boot. Many of the other ones are ns-specific versions of the first ones (*at) and would rather not being made optional either. I think maybe we can find between 10 and 30 that would make sense to optionally disable. Willy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists