|
Message-ID: <CA+55aFwDfBnMVGfBVkrFFr26tp1y8CUpSf154AuXH+sWyeY5FA@mail.gmail.com> Date: Tue, 28 Nov 2017 16:50:09 -0800 From: Linus Torvalds <torvalds@...ux-foundation.org> To: Kees Cook <keescook@...omium.org> Cc: Geo Kozey <geokozey@...lfence.com>, LSM List <linux-security-module@...r.kernel.org>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com> Subject: Re: Re: [PATCH v5 next 5/5] net: modules: use request_module_cap() to load 'netdev-%s' modules On Tue, Nov 28, 2017 at 4:26 PM, Kees Cook <keescook@...omium.org> wrote: > >> The model that I am a proponent of is to take a softer approach >> initially: don't forbid module loading (because that breaks users), >> but instead _warn_ about non-root module loading. And then we can >> start fixing the cases that we find. > > I am totally fine with this. The question I'm hoping to have answered > is, "then what?" We already have concrete examples of module > autoloading that will still be need to stay unprivileged and as-is in > the kernel (even if we remove others). What do you see as the way to > allow an admin to turn those off? Just thinking about the DCCP case, where networking people actually knew it was pretty deprecated and had no real maintainer, I think one thing to look at would be simply a per-module flag. That kind of thing should be fairly easy to implement, along the same lines as the module license - it just sets a flag in the ELF section headers. With something like that, we literally could make the default be "no autoloading except for root", and then just mark the modules that we think are ok and well maintained. Sure, if you then do a lock-down mode that makes that flag parsing stricter, then that's a separate thing. But I suspect we definitely could be a lot stricter on a per-module basis, and do it in a way where a normal user wouldn't even notice that we've limited the autoloading. But the first step would be to just add some noise. And even with the per-module flag, at first it would only suppress the noise (ie we'd still _allow_ loading other modules, they'd just be noisy). Then, if nobody hollers, maybe the next kernel release we'll make it actually enforce the flag. Does that sound reasonable? Linus
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.