On Fri, Sep 21, 2012 at 03:55:28PM -0700, Eric W. Biederman wrote: > 1) I don't see anything disabling kdb or kgdb. If ever there > was a way to poke into the kernel and change things... Is there any way to access them without having physical console access (either the system console or a serial console)? Physically-present attacks are kind of out of scope here. > 2) You almost certainly want to disable module removal. It is all to > easy to have races where that are not properly handled in the module > removal path. I know I saw a bundle of those in debugfs the other > day. I'm pretty reluctant to work around bugs like this. Disabling features certainly reduces the attack surface, but the aim is to only disable features that *by design* permit the modification of the kernel. Where it's possible to do so by exploiting bugs, we should be fixing the bugs. > 3) And half seriously you probably want to disable mounting of > filesystems. I believe I have heard it said the kernel has not been > vetted against a hostile root user mounting deliberately corrupted > filesystem images. See (2). Not that you need to be root to trigger filesystem mounts, so this is also a user->kernel exploit. Those should be fixed. -- Matthew Garrett | mjg59@xxxxxxxxxxxxx -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html