Re: [PATCH RFC] Restrictions on module loading

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kees Cook <kees.cook@canonical.com>
To: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: linux-kernel@vger.kernel.org, security@kernel.org
Subject: Re: [PATCH RFC] Restrictions on module loading
Date: Sun, 7 Nov 2010 21:14:02 -0800	[thread overview]
Message-ID: <20101108051402.GA5876@outflux.net> (raw)
In-Reply-To: <1289179439.3090.205.camel@Dan>

On Sun, Nov 07, 2010 at 08:23:59PM -0500, Dan Rosenberg wrote:
> A significant portion of kernel vulnerabilities do not affect core code,
> but rather individual modules.  Unfortunately, there is no global kernel
> setting to restrict unprivileged users from triggering the automatic
> loading of kernel modules, for example by creating a socket using a
> packet family that is compiled as a module and not already loaded.  On
> most distributions, this creates a significant attack surface, and
> requires maintenance of blacklists and other inelegant solutions to a
> general problem.
> 
> The below patch replaces the existing "modules_disable" sysctl with a
> finer-grained "modules_restrict" sysctl.  By default, this is set at 0,
> which results in no deviation from normal module loading behavior.  When
> set to 1, unprivileged users cannot trigger the automatic loading of
> modules.  This behavior is based on grsecurity's GRKERNSEC_MODHARDEN
> setting.  The current check is against current_uid(), since several
> distributions explicitly remove CAP_SYS_MODULE from root processes, some
> of which incidentally cause (and rely on) the automatic loading of
> modules.  I expect this to be a point of discussion.
> 
> When set to 2, modules may not be loaded or unloaded by anyone, and the
> sysctl may not be changed from that point forward.  This is designed to
> provide protection against kernel module rootkits.
> 
> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>

Acked-by: Kees Cook <kees.cook@canonical.com>

This looks great to me. There will be a small amount of pain for people
that are already using modules_disabled=1, but I think the audience is so
small that it won't be a problem to switch to modules_restrict=2.

-Kees

-- 
Kees Cook
Ubuntu Security Team

next prev parent reply	other threads:[~2010-11-08  5:14 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-11-08  1:23 [PATCH RFC] Restrictions on module loading Dan Rosenberg
2010-11-08  5:14 ` Kees Cook [this message]
2010-11-08 10:20 ` Alan Cox
2010-11-08 12:23   ` Dan Rosenberg
2010-11-08 13:59     ` Alan Cox
2010-11-09  5:42 ` [Security] " Eugene Teo
     [not found] <fMoIy-7gR-5@gated-at.bofh.it>
2010-11-08  8:30 ` Bodo Eggert
2010-11-08 11:34   ` Andi Kleen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20101108051402.GA5876@outflux.net \
    --to=kees.cook@canonical.com \
    --cc=drosenberg@vsecurity.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=security@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.