Re: I: kmod vs module-init-tools: modprobe security regression

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Dmitry

On Tue, Aug 14, 2012 at 5:56 PM, Dmitry V. Levin <ldv@xxxxxxxxxxxx> wrote:
> Hi,
>
> The new edition of modprobe provided by kmod, unlike the old one from
> module-init-tools, doesn't honour blacklist by default when processing
> aliases.
>
> Back in 2005, when blacklist support in modprobe was first added for
> module-init-tools, it was implemented that way deliberately:
> http://lkml.org/lkml/2005/5/11/74
>
> Since 2005 the feature became quite popular.  In particular, it is used
> as a method to "unalias" all kinds of aliases for the given module.
> I'm aware of many default configurations where such constructs as
> "alias net-pf-3 off" were rewritten as "blacklist ax25".
> Unfortunately, these configurations not just break with migration from
> module-init-tools to kmod, but also introduce a vulnerability: an
> unprivileged user can use socket(2) syscall to make the kernel load
> various modules implementing rare network protocols which used to be
> blacklisted.  Some of these modules had various security bugs in the past
> (like CVE-2009-2909 in ax25 mentioned above), and are likely to be less
> audited than more widespread network protocols, so unguarded access to
> these modules poses a security risk.
>
> What I'd like to know is what was the rationale for the change in modprobe

What's the change?

> behaviour and how do you propose to deal with the security regression it
> introduced?

there shouldn't be a change in behaviour. Could you provide an example
the results are different and if possible add it to
testsuite/test-blacklist.c?


thanks
Lucas De Marchi
--
To unsubscribe from this list: send the line "unsubscribe linux-modules" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux