From: Marcus Meissner <meissner@suse.de>
To: "Theodore Ts'o" <tytso@mit.edu>,
Kees Cook <keescook@chromium.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Djalal Harouni <tixxdz@gmail.com>,
Jonathan Corbet <corbet@lwn.net>,
James Morris <james.l.morris@oracle.com>,
LSM List <linux-security-module@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
Geo Kozey <geokozey@mailfence.com>
Subject: Re: [kernel-hardening] Re: [PATCH v5 next 5/5] net: modules: use request_module_cap() to load 'netdev-%s' modules
Date: Fri, 1 Dec 2017 16:22:00 +0100 [thread overview]
Message-ID: <20171201152200.GP14681@suse.de> (raw)
In-Reply-To: <20171128234920.awfwicihuudw5ogx@thunk.org>
On Tue, Nov 28, 2017 at 06:49:20PM -0500, Theodore Ts'o wrote:
> On Tue, Nov 28, 2017 at 03:29:01PM -0800, Kees Cook wrote:
> > > So in these two cases, if the kernel was built w/o modules, and HDLC
> > > and DCCP was built-in, you'd be screwed, then?
> >
> > Sure, but that's not the common situation.
> >
> > > Is the goal here to protect people using distro kernels which build
> > > the world as modules, including dodgy pieces of kernel code that are
> > > bug-ridden?
> >
> > The bulk of the risk comes from distro kernels, yes. (Though "bug
> > ridden" is a strong statement. There are and will be bugs, scattered
> > across a wide portion of the kernel, it's just that modules tend to
> > cover most of that attack surface.)
>
> OK, but if the goal is to protect users who are running distro
> kernels, then a kernel config that breaks some percentage of users is
> ****highly**** unlikely to be enabled by Red Hat and SuSE, right? And
> many of these users either can't (from a skills perspective) or won't
> (because they lose all support from the enterprise distro's help desk)
> recompile their kernel to enable an "might break 3% of all users ---
> oh, well" config option.
Yes, breaking customers is not seen lightly.
I also (not related to this thread here, more to SLAB hardening et.al)
have a hard time getting performance losses caused by hardening features approved.
> Which argues for being extremely conservative about making something
> that has an extremely low probability of breaking users, and it points
> out why Geo Kozey's "who cares about breaking users; security is
> IMPORTANT" argument is so wrong-headed.
>
> If the goal is to protect distro kernels, but a sloppy approach
> guarantees that distro kernels will never enable it, is it really
> worth it?
>
> - Ted
>
> P.S. This is where it might be useful to get some input from the Red
> Hat and SuSE support teams. How many angry user calls to their help
> desk are they willing to field before they'll just turn off the kernel
> config option for their kernels?
Speaking for SUSE ... If something that worked for people before and
it breaks, we do get feedback. If no one used it however, we won't.
For our last major product we went over the network module list and
disabled some for building. e.g. DCCP is no longer built. We did
not receive any complaints about missing DCCP to my knowledge.
We also seperate our modules into "regular supported" and "unsupported"
in different RPMs. The "unsupported" module packages are not shipped on
the Server product. They were shipped on the desktop as some of the WiFi
drivers were requested by customers but were considered not supportable.
We do review this supportable list between kernel version jumps.
Ciao, Marcus
next prev parent reply other threads:[~2017-12-01 15:22 UTC|newest]
Thread overview: 84+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-27 17:18 [PATCH v5 next 0/5] Improve Module autoloading infrastructure Djalal Harouni
2017-11-27 17:18 ` [PATCH v5 next 1/5] modules:capabilities: add request_module_cap() Djalal Harouni
2017-11-27 18:48 ` Randy Dunlap
2017-11-27 21:35 ` Djalal Harouni
2017-11-28 19:14 ` Luis R. Rodriguez
2017-11-28 20:11 ` Kees Cook
2017-11-28 21:16 ` Luis R. Rodriguez
2017-11-28 21:33 ` Djalal Harouni
2017-11-28 22:18 ` Luis R. Rodriguez
2017-11-28 22:52 ` Djalal Harouni
2017-11-28 21:39 ` Kees Cook
2017-11-28 22:12 ` Luis R. Rodriguez
2017-11-28 22:18 ` Kees Cook
2017-11-28 22:48 ` Luis R. Rodriguez
2017-11-29 7:49 ` Michal Kubecek
2017-11-29 13:46 ` Alan Cox
2017-11-29 14:50 ` David Miller
2017-11-29 15:54 ` Theodore Ts'o
2017-11-29 15:58 ` David Miller
2017-11-29 16:29 ` Theodore Ts'o
2017-11-29 22:45 ` Linus Torvalds
2017-11-30 0:06 ` Kees Cook
2017-11-29 17:28 ` Serge E. Hallyn
2017-11-30 0:35 ` Theodore Ts'o
2017-11-30 17:17 ` Serge E. Hallyn
2017-11-28 20:18 ` Djalal Harouni
2017-11-27 17:18 ` [PATCH v5 next 2/5] modules:capabilities: add cap_kernel_module_request() permission check Djalal Harouni
2017-11-30 2:05 ` Luis R. Rodriguez
2017-11-27 17:18 ` [PATCH v5 next 3/5] modules:capabilities: automatic module loading restriction Djalal Harouni
2017-11-30 1:23 ` Luis R. Rodriguez
2017-11-30 12:22 ` Djalal Harouni
2017-11-27 17:18 ` [PATCH v5 next 4/5] modules:capabilities: add a per-task modules auto-load mode Djalal Harouni
2017-11-27 17:18 ` [PATCH v5 next 5/5] net: modules: use request_module_cap() to load 'netdev-%s' modules Djalal Harouni
2017-11-27 18:44 ` Linus Torvalds
2017-11-27 21:41 ` Djalal Harouni
2017-11-27 22:04 ` Linus Torvalds
2017-11-27 22:59 ` Kees Cook
2017-11-27 23:14 ` Linus Torvalds
2017-11-27 23:19 ` Kees Cook
2017-11-27 23:35 ` Linus Torvalds
2017-11-28 1:23 ` Kees Cook
2017-11-28 12:16 ` [kernel-hardening] " Geo Kozey
2017-11-28 19:32 ` Theodore Ts'o
2017-11-28 20:08 ` Kees Cook
2017-11-28 20:12 ` Linus Torvalds
2017-11-28 20:20 ` Kees Cook
2017-11-28 20:33 ` Linus Torvalds
2017-11-28 21:10 ` Djalal Harouni
2017-11-28 21:33 ` Kees Cook
2017-11-28 23:23 ` Theodore Ts'o
2017-11-28 23:29 ` Kees Cook
2017-11-28 23:49 ` Theodore Ts'o
2017-11-29 0:18 ` Kees Cook
2017-11-29 6:36 ` Theodore Ts'o
2017-11-29 14:46 ` Geo Kozey
2017-12-01 15:22 ` Marcus Meissner [this message]
2017-11-28 23:53 ` Djalal Harouni
2017-11-28 21:51 ` Geo Kozey
2017-11-28 23:51 ` Linus Torvalds
2017-11-29 0:17 ` Linus Torvalds
2017-11-29 0:26 ` Kees Cook
2017-11-29 0:50 ` Linus Torvalds
2017-11-29 4:26 ` Eric W. Biederman
2017-11-29 18:30 ` Kees Cook
2017-11-29 18:46 ` Linus Torvalds
2017-11-29 18:53 ` Linus Torvalds
2017-11-29 21:17 ` Kees Cook
2017-11-29 22:14 ` Linus Torvalds
2017-11-30 0:44 ` Kees Cook
2017-11-30 2:08 ` Linus Torvalds
2017-11-30 6:51 ` Daniel Micay
2017-11-30 8:50 ` Djalal Harouni
2017-11-30 14:16 ` Theodore Ts'o
2017-11-30 14:51 ` Djalal Harouni
2017-12-01 6:39 ` Daniel Micay
2017-11-29 15:28 ` Geo Kozey
2017-11-27 18:41 ` [PATCH v5 next 0/5] Improve Module autoloading infrastructure Linus Torvalds
2017-11-27 19:02 ` Linus Torvalds
2017-11-27 19:12 ` Linus Torvalds
2017-11-27 21:31 ` Djalal Harouni
2017-11-27 19:14 ` David Miller
2017-11-27 22:31 ` James Morris
2017-11-27 23:04 ` Kees Cook
2017-11-27 23:44 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171201152200.GP14681@suse.de \
--to=meissner@suse.de \
--cc=corbet@lwn.net \
--cc=geokozey@mailfence.com \
--cc=james.l.morris@oracle.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=tixxdz@gmail.com \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox