Date: Tue, 28 Nov 2017 18:49:20 -0500 From: Theodore Ts'o <tytso@....edu> To: Kees Cook <keescook@...omium.org> Cc: Linus Torvalds <torvalds@...ux-foundation.org>, Djalal Harouni <tixxdz@...il.com>, Jonathan Corbet <corbet@....net>, James Morris <james.l.morris@...cle.com>, LSM List <linux-security-module@...r.kernel.org>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, Geo Kozey <geokozey@...lfence.com> Subject: Re: Re: [PATCH v5 next 5/5] net: modules: use request_module_cap() to load 'netdev-%s' modules On Tue, Nov 28, 2017 at 03:29:01PM -0800, Kees Cook wrote: > > So in these two cases, if the kernel was built w/o modules, and HDLC > > and DCCP was built-in, you'd be screwed, then? > > Sure, but that's not the common situation. > > > Is the goal here to protect people using distro kernels which build > > the world as modules, including dodgy pieces of kernel code that are > > bug-ridden? > > The bulk of the risk comes from distro kernels, yes. (Though "bug > ridden" is a strong statement. There are and will be bugs, scattered > across a wide portion of the kernel, it's just that modules tend to > cover most of that attack surface.) OK, but if the goal is to protect users who are running distro kernels, then a kernel config that breaks some percentage of users is ****highly**** unlikely to be enabled by Red Hat and SuSE, right? And many of these users either can't (from a skills perspective) or won't (because they lose all support from the enterprise distro's help desk) recompile their kernel to enable an "might break 3% of all users --- oh, well" config option. Which argues for being extremely conservative about making something that has an extremely low probability of breaking users, and it points out why Geo Kozey's "who cares about breaking users; security is IMPORTANT" argument is so wrong-headed. If the goal is to protect distro kernels, but a sloppy approach guarantees that distro kernels will never enable it, is it really worth it? - Ted P.S. This is where it might be useful to get some input from the Red Hat and SuSE support teams. How many angry user calls to their help desk are they willing to field before they'll just turn off the kernel config option for their kernels?
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.