Re: request_module vs. modprobe blacklist (and security subsystem implications)

From: Eric W. Biederman
Date: Wed Oct 21 2009 - 21:12:53 EST

Next message: Andrew Morton: "Re: Unnecessary overhead with stack protector."
Previous message: Darrick J. Wong: "[PATCH] acpi_power_meter: Don't leak ACPI error codes to userspace"
In reply to: Andi Kleen: "Re: request_module vs. modprobe blacklist (and security subsystem implications)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Eric Paris <eparis@xxxxxxxxxx> writes:

> I recently added a new LSM hook into __request_module(),
> security_kernel_module_request(). This new hook checks if a process
> should have permission to trigger the loading of a kernel module. The
> attack vector imagined was that some module (IPX for example) has a
> vulnerability. An attack program (which doesn't have permission to load
> the IPX module directly) might be able to get the networking stack to
> try to autoload the module. Once loaded the attack program could then
> use the larger surface area to exploit the kernel.
>
> We have found that many users disable the IPv6 module by setting their
> modprobe config to look like:
>
> blacklist ipv6
> install ipv6 /bin/true

They need to be using /proc/sys/net/ipv6/conf/*/disable_ipv6 instead.
As the above scenario keeps the bonding driver from loading.

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andrew Morton: "Re: Unnecessary overhead with stack protector."
Previous message: Darrick J. Wong: "[PATCH] acpi_power_meter: Don't leak ACPI error codes to userspace"
In reply to: Andi Kleen: "Re: request_module vs. modprobe blacklist (and security subsystem implications)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]