Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 Nov 2017 12:20:32 -0800
From: Kees Cook <>
To: Linus Torvalds <>
Cc: "Theodore Ts'o" <>, Djalal Harouni <>, Jonathan Corbet <>, 
	James Morris <>, 
	LSM List <>, 
	Linux Kernel Mailing List <>, 
	"" <>, Geo Kozey <>
Subject: Re: Re: [PATCH v5 next 5/5] net: modules: use
 request_module_cap() to load 'netdev-%s' modules

On Tue, Nov 28, 2017 at 12:12 PM, Linus Torvalds
<> wrote:
> On Tue, Nov 28, 2017 at 12:08 PM, Kees Cook <> wrote:
>> Linus, are you okay with this series if the global sysctl gets dropped?
> So really, it's not the "global sysctl" as much as the "global
> request_module()" that annoys me.
> I'll happily take the request_module_cap() part and the thing that
> makes networking use that.
> But the flag that we have to default to off because it breaks every
> single box otherwise? No. It doesn't  matter if it's one single global
> or just a "global behavior for request_module() for this process" at
> that point, it's still a pointless security flag that is opt-in.

To be clear: such a flag wouldn't doesn't break every system, but I
understand your concern.

So what's the right path forward for allowing a way to block
autoloading? Separate existing request_module() calls into "must be
privileged" and "can be unpriv" first, then rework the series to deal
with the "unpriv okay" subset?


Kees Cook
Pixel Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.