Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Subject: Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions
From: Kees Cook <keescook@xxxxxxxxxxxx>
Date: Mon, 22 May 2017 16:52:15 -0700
Cc: Djalal Harouni <tixxdz@xxxxxxxxx>, Solar Designer <solar@xxxxxxxxxxxx>, linux-kernel <linux-kernel@xxxxxxxxxxxxxxx>, Network Development <netdev@xxxxxxxxxxxxxxx>, LSM List <linux-security-module@xxxxxxxxxxxxxxx>, "kernel-hardening@xxxxxxxxxxxxxxxxxx" <kernel-hardening@xxxxxxxxxxxxxxxxxx>, Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>, Rusty Russell <rusty@xxxxxxxxxxxxxxx>, "Serge E. Hallyn" <serge@xxxxxxxxxx>, Jessica Yu <jeyu@xxxxxxxxxx>, "David S. Miller" <davem@xxxxxxxxxxxxx>, James Morris <james.l.morris@xxxxxxxxxx>, Paul Moore <paul@xxxxxxxxxxxxxx>, Stephen Smalley <sds@xxxxxxxxxxxxx>, Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>, Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>, Ingo Molnar <mingo@xxxxxxxxxx>, Linux API <linux-api@xxxxxxxxxxxxxxx>, Dongsu Park <dpark@xxxxxxxxxx>, Casey Schaufler <casey@xxxxxxxxxxxxxxxx>, Jonathan Corbet <corbet@xxxxxxx>, Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>, Mauro Carvalho Chehab <mchehab@xxxxxxxxxx>, Peter Zijlstra <peterz@xxxxxxxxxxxxx>, Zendyani <zendyani@xxxxxxxxx>, "open list:DOCUMENTATION" <linux-doc@xxxxxxxxxxxxxxx>, Al Viro <viro@xxxxxxxxxxxxxxxxxx>, Ben Hutchings <ben.hutchings@xxxxxxxxxxxxxxx>
In-reply-to: <CALCETrXyf3vM+NdFNcjwaOZs1KFJomuTL0DobXoH9Z68k8dknQ@mail.gmail.com>
References: <1495454226-10027-1-git-send-email-tixxdz@gmail.com> <20170522120848.GA3003@openwall.com> <CAEiveUdqfMk4+vLg6TaEJNSGwoQHxYq0P4aqZoL4i9GgR3Vdtw@mail.gmail.com> <20170522164323.GA2048@openwall.com> <CAEiveUdb=yc5Gt_+pU_hfNdoNBP0JsUL1QUydNZgc2tD7n1h1w@mail.gmail.com> <CAGXu5jKGnG74KE-k9JPaH1bNqT5nbVioaeu_5sAKQ+4kgp-0Ng@mail.gmail.com> <CALCETrXyf3vM+NdFNcjwaOZs1KFJomuTL0DobXoH9Z68k8dknQ@mail.gmail.com>

On Mon, May 22, 2017 at 4:38 PM, Andy Lutomirski <luto@xxxxxxxxxx> wrote:
> I think that having the un-resettable mode is unnecessary.  We should
> have option that disables loading modules entirely and cannot be
> unset.  (That means no explicit loads and not implicit loads.)  Maybe
> we already have this.  Otherwise, tightening caps needed for implicit
> loads should just be a normal yes/no setting IMO.

Yup, /proc/sys/kernel/modules_disabled already does this.

-- 
Kees Cook
Pixel Security
--
To unsubscribe from this list: send the line "unsubscribe linux-api" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

References:
- [PATCH v4 next 0/3] modules: automatic module loading restrictions
  - From: Djalal Harouni
- Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions
  - From: Solar Designer
- Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions
  - From: Djalal Harouni
- Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions
  - From: Solar Designer
- Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions
  - From: Djalal Harouni
- Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions
  - From: Kees Cook
- Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions
  - From: Andy Lutomirski

Prev by Date: Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions
Next by Date: Re: [PATCH v2 4/6] mm, mempolicy: simplify rebinding mempolicies when updating cpusets
Previous by thread: Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions
Next by thread: Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions
Index(es):
- Date
- Thread

[Index of Archives] [Linux USB Devel] [Video for Linux] [Linux Audio Users] [Yosemite News] [Linux Kernel] [Linux SCSI]