On Tue, Aug 14, 2012 at 9:13 PM, Lucas De Marchi <lucas.demarchi@xxxxxxxxxxxxxx> wrote: > On Tue, Aug 14, 2012 at 7:25 PM, Dmitry V. Levin <ldv@xxxxxxxxxxxx> wrote: >> On Tue, Aug 14, 2012 at 06:27:36PM -0300, Lucas De Marchi wrote: >>> On Tue, Aug 14, 2012 at 5:56 PM, Dmitry V. Levin wrote: >>> > >>> > The new edition of modprobe provided by kmod, unlike the old one from >>> > module-init-tools, doesn't honour blacklist by default when processing >>> > aliases. >>> > >>> > Back in 2005, when blacklist support in modprobe was first added for >>> > module-init-tools, it was implemented that way deliberately: >>> > http://lkml.org/lkml/2005/5/11/74 >>> > >>> > Since 2005 the feature became quite popular. In particular, it is used >>> > as a method to "unalias" all kinds of aliases for the given module. >>> > I'm aware of many default configurations where such constructs as >>> > "alias net-pf-3 off" were rewritten as "blacklist ax25". >>> > Unfortunately, these configurations not just break with migration from >>> > module-init-tools to kmod, but also introduce a vulnerability: an >>> > unprivileged user can use socket(2) syscall to make the kernel load >>> > various modules implementing rare network protocols which used to be >>> > blacklisted. Some of these modules had various security bugs in the past >>> > (like CVE-2009-2909 in ax25 mentioned above), and are likely to be less >>> > audited than more widespread network protocols, so unguarded access to >>> > these modules poses a security risk. >>> > >>> > What I'd like to know is what was the rationale for the change in modprobe >>> >>> What's the change? >> >> As I said, modprobe from module-init-tools honours blacklist by default >> when processing aliases, but modprobe from kmod doesn't. > > the key here is "when processing aliases", which was not so clear for me. > > >> >> For example, "blacklist ax25" makes "modprobe net-pf-3" a noop in case of >> module-init-tools, while the modprobe from kmod loads ax25 despite of >> blacklist. Assuming that kmod aims to replace module-init-tools, this >> qualifies as a change in behaviour. > > So the answer is: it was not designed to be a change in behavior, but > it's rather a bug. I'll take a look on it. For me the patch attached fixes the issue. Could you please test it? Thanks Lucas De Marchi
Attachment:
0001-Blacklist-only-aliases.patch
Description: Binary data