Date: Thu, 30 Nov 2017 09:50:27 +0100 From: Djalal Harouni <tixxdz@...il.com> To: Daniel Micay <danielmicay@...il.com> Cc: Linus Torvalds <torvalds@...ux-foundation.org>, Kees Cook <keescook@...omium.org>, Jessica Yu <jeyu@...nel.org>, LSM List <linux-security-module@...r.kernel.org>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com> Subject: Re: Re: [PATCH v5 next 5/5] net: modules: use request_module_cap() to load 'netdev-%s' modules On Thu, Nov 30, 2017 at 7:51 AM, Daniel Micay <danielmicay@...il.com> wrote: [...] > Lots of potential module attack surface also gets eliminated by default > via their SELinux whitelists for /dev, /sys, /proc, debugfs, ioctl > commands, etc. The global seccomp whitelist might be relevant in some > cases too. In embedded systems we can't maintain a SELinux policy, distro man power hardly manage. We have abstracted seccomp etc, but the kernel inherited the difficult multiplex things, plus all other paths that trigger this. > Android devices like to build everything into the kernel too, so even if > they weren't using a module this feature wouldn't usually help them. It > would need to work like this existing sysctl: > > net.ipv4.tcp_available_congestion_control = cubic reno lp > > i.e. whitelists for functionality offered by the modules, not just > whether they can be loaded. Yes, but it is hard to maintain a whitelist policy, the code is hardly maintained... if you include everything you should have an LSM policy or something like that, and compiling kernels is expert thing. Otherwise IMHO the kernel should provide default secure behaviour on how to load or add new functionality to the running one. From a user perspective, a switch "yes/no" that a privileged entity will *understand* and assume is what should be there, and the switch or flag as discussed here is local to processes, the sysctl will be removed. IMO it should come from userspace point of view, cause as an example the sysctl: net.ipv4.tcp_available_congestion_control = cubic reno lp Is kernel thing, too technical, userspace developers, admins or privileged entity will not understand what cubic or reno mean. Doing the same per functionality directly like this seems to much of a burden compared to the use case. The kernel maybe can do this to advance the art of the networking stack and for advanced cases, but in IMHO a sane default behaviour + an abstracted process/sandbox flag "yes/no" for most others, userspace developers and humans is what should be provided and we need the kernel to help here. It seems that Linus and kees agreed on this direction which allows me to follow up. Thanks! -- tixxdz
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.