From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1757433AbcLTKsi (ORCPT <rfc822;w@1wt.eu>);
        Tue, 20 Dec 2016 05:48:38 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:53452 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1754641AbcLTKsg (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 20 Dec 2016 05:48:36 -0500
Date: Tue, 20 Dec 2016 11:48:46 +0100
From: Greg KH <gregkh@linuxfoundation.org>
To: Jiri Kosina <jikos@kernel.org>
Cc: NeilBrown <neilb@suse.com>, kernel-hardening@lists.openwall.com,
        linux-kernel@vger.kernel.org
Subject: Re: [RFC 0/4] make call_usermodehelper a bit more "safe"
Message-ID: <20161220104846.GA18702@kroah.com>
References: <20161214185000.GA3930@kroah.com>
 <87k2b0wus6.fsf@notabene.neil.brown.name>
 <20161216124913.GB31485@kroah.com>
 <alpine.LRH.2.00.1612191428060.15543@gjva.wvxbf.pm>
 <20161220092734.GA12200@kroah.com>
 <alpine.LSU.2.20.1612201117220.19203@cbobk.fhfr.pm>
 <alpine.LSU.2.20.1612201129320.19203@cbobk.fhfr.pm>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <alpine.LSU.2.20.1612201129320.19203@cbobk.fhfr.pm>
User-Agent: Mutt/1.7.2 (2016-11-26)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Dec 20, 2016 at 11:31:57AM +0100, Jiri Kosina wrote:
> On Tue, 20 Dec 2016, Jiri Kosina wrote:
> 
> > I stay totally unconvinced that such kind of countermeasure brings any 
> > value whatsoever. Could you please bring up a particular usecase, where 
> > you have complete control over kernel memory, and still the only 
> > possible exploit factor is redirecting usermodhelper? It feels like 
> > rather random shot into darkness.
> 
> If we want to make usermod helper really secure, perhaps the best way to 
> go would be to completely nuke it and handle everyhting in udev; that'd be 
> quite some work though, especially so that we don't break all the corner 
> cases of module autoloading (request_module() and such).

In talking about this with others, I like Neil's approach of just
calling out to a statically-defined single binary to handle all of the
specifics.  Using something like busybox/toybox to handle any usermode
helper issues would be a very simple way to deal with this on a large
number of systems (i.e. embedded devices / phones / chromebooks).

After I return from vacation, I'll respin this series based on that idea
and repost it.

thanks,

greg k-h