From: Rusty Russell <rusty@rustcorp.com.au>
To: Eric Paris <eparis@redhat.com>
Cc: Alan Jenkins <sourcejedi.lkml@googlemail.com>,
linux-kernel@vger.kernel.org, arjan@infradead.org,
randy.dunlap@oracle.com, andi@firstfloor.org,
dhowells@redhat.com, akpm@linux-foundation.org
Subject: Re: request_module vs. modprobe blacklist (and security subsystem implications)
Date: Sat, 24 Oct 2009 01:29:52 +1030 [thread overview]
Message-ID: <200910240129.53622.rusty@rustcorp.com.au> (raw)
In-Reply-To: <1256307830.4443.158.camel@dhcp231-106.rdu.redhat.com>
On Sat, 24 Oct 2009 12:53:50 am Eric Paris wrote:
> On Fri, 2009-10-23 at 19:46 +1030, Rusty Russell wrote:
> > On Fri, 23 Oct 2009 01:00:22 am Eric Paris wrote:
> > > > If a userspace program tries some security exploit that has been closed, do
> > > > you want to warn about it? Because that seems to be the question here.
> > >
> > > I say yes. Knowing that malicious activity is taking place, even if it
> > > didn't hurt anything is useful.
> >
> > Hi Eric,
> >
> > Your proposal is troubling for three reasons:
> >
> > 1) You would disable logging for things you actually want logged.
>
> I would?
Yep, admin disables loading of ipx to prevent hole. Now, you no longer get
logging notification.
> > 2) What *actually* happens when ssh tries to load ipv6 is that
> > "modprobe net-pf-10" gets called.
> > 3) Containing modprobe behavior in one set of config files is really nice.
>
> It is it also means that we, somewhat regularly call userspace
> needlessly and there is nothing an admin can do to stop it.
Yes, but that's nothing to do with SELinux; we exec modprobe for no effect.
Yet I've yet to see a report that this is a performance issue. These brains
are in userspace for a reason.
> But it appears you disagree that fixing that problem is worth it, and I
> don't feel strongly enough to keep arguing :)
But we have learnt something, at least!
Cheers,
Rusty.
next prev parent reply other threads:[~2009-10-23 14:59 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-21 15:02 request_module vs. modprobe blacklist (and security subsystem implications) Eric Paris
2009-10-21 19:11 ` Alan Jenkins
2009-10-21 19:27 ` Eric Paris
2009-10-21 21:00 ` Alan Jenkins
2009-10-22 5:56 ` Rusty Russell
2009-10-22 14:30 ` Eric Paris
2009-10-23 9:16 ` Rusty Russell
2009-10-23 14:23 ` Eric Paris
2009-10-23 14:59 ` Rusty Russell [this message]
2009-10-22 0:48 ` Andi Kleen
2009-10-22 1:12 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200910240129.53622.rusty@rustcorp.com.au \
--to=rusty@rustcorp.com.au \
--cc=akpm@linux-foundation.org \
--cc=andi@firstfloor.org \
--cc=arjan@infradead.org \
--cc=dhowells@redhat.com \
--cc=eparis@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=randy.dunlap@oracle.com \
--cc=sourcejedi.lkml@googlemail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.