Date: Tue, 28 Nov 2017 12:33:22 -0800 From: Linus Torvalds <torvalds@...ux-foundation.org> To: Kees Cook <keescook@...omium.org> Cc: "Theodore Ts'o" <tytso@....edu>, Djalal Harouni <tixxdz@...il.com>, Jonathan Corbet <corbet@....net>, James Morris <james.l.morris@...cle.com>, LSM List <linux-security-module@...r.kernel.org>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, Geo Kozey <geokozey@...lfence.com> Subject: Re: Re: [PATCH v5 next 5/5] net: modules: use request_module_cap() to load 'netdev-%s' modules On Tue, Nov 28, 2017 at 12:20 PM, Kees Cook <keescook@...omium.org> wrote: > > So what's the right path forward for allowing a way to block > autoloading? Separate existing request_module() calls into "must be > privileged" and "can be unpriv" first, then rework the series to deal > with the "unpriv okay" subset? So once we've taken care of the networking ones that check their own different capability bit, maybe we can then make the regular request_module() do a rate-limited warning for non-CAP_SYS_MODULE uses that prints which module it's loading. And then just see what people report. Because maybe it's just a very small handful that matters, and we can say "those are ok". And maybe that is too optimistic, and we have a lot of device driver ones because people still have a static /dev and don't have udev populating modules and device nodes, and then maybe we need to introduce a "request_module_dev()" where the rule is that you had to at least have privileges to open the device node. Because I really am *not* interested in these security flags that are off by default and then get turned on by special cases. I think it's completely unacceptable to say "we're insecure by default but then you can do X and be secure". It doesn't work. It doesn't fix anything. Linus
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.