Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CA+55aFxWKKjpqHL9pq=4r8ZMjvDSzzwHK69FFg+Re4CfAAtmqA@mail.gmail.com>
Date: Wed, 29 Nov 2017 18:08:34 -0800
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Kees Cook <keescook@...omium.org>
Cc: Djalal Harouni <tixxdz@...il.com>, Jessica Yu <jeyu@...nel.org>, 
	LSM List <linux-security-module@...r.kernel.org>, 
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>
Subject: Re: Re: [PATCH v5 next 5/5] net: modules: use
 request_module_cap() to load 'netdev-%s' modules

On Wed, Nov 29, 2017 at 4:44 PM, Kees Cook <keescook@...omium.org> wrote:
>
>> That mainly leaves the protocol ones we need to look out for, I suspect.
>
> This is where a lot of the exposure really comes from. socket()
> triggers a bunch of stuff, but doesn't have an obvious privilege
> associated with it... while it already does the name templates, maybe
> add request_module_socket() just to explicitly mark it?

.. and this is where I'd expect that maybe we'd need some hackery.

Even including some ad-hoc rules like "this module is actually
maintained", possibly even with some /sys interface to extend/reduce
that set.

But maybe it's not even that bad.

                Linus

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.