Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1427229AbdDVBT7 (ORCPT ); Fri, 21 Apr 2017 21:19:59 -0400 Received: from mail-qt0-f193.google.com ([209.85.216.193]:35466 "EHLO mail-qt0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1425603AbdDVBT4 (ORCPT ); Fri, 21 Apr 2017 21:19:56 -0400 MIME-Version: 1.0 In-Reply-To: References: <1492640420-27345-1-git-send-email-tixxdz@gmail.com> <1492640420-27345-3-git-send-email-tixxdz@gmail.com> From: Djalal Harouni Date: Sat, 22 Apr 2017 03:19:55 +0200 Message-ID: Subject: Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction To: Andy Lutomirski Cc: Kees Cook , Linux Kernel Mailing List , Andrew Morton , "Serge E. Hallyn" , "kernel-hardening@lists.openwall.com" , LSM List , Linux API , Dongsu Park , Casey Schaufler , James Morris , Paul Moore , Tetsuo Handa , Greg Kroah-Hartman , Jonathan Corbet , Jessica Yu , Rusty Russell , Arnaldo Carvalho de Melo , Mauro Carvalho Chehab , Ingo Molnar , belakhdar abdeldjalil , Peter Zijlstra Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1533 Lines: 36 On Sat, Apr 22, 2017 at 2:12 AM, Djalal Harouni wrote: > On Sat, Apr 22, 2017 at 1:51 AM, Andy Lutomirski wrote: > [...] >>>> I personally like my implicit_rights idea, and it might be interesting >>>> to prototype it. >>> >>> I don't like blocking a needed feature behind a large super-feature >>> that doesn't exist yet. We'd be able to refactor this code into using >>> such a thing in the future, so I'd prefer to move ahead with this >>> since it would stop actual exploits. >> >> I don't think the super-feature is so hard, and I think we should not >> add the per-task thing the way it's done in this patch. Let's not add >> per-task things where the best argument for their security is "not >> sure how it would be exploited". > > Actually the XFRM framework CVE-2017-7184 [1] is one real example, of > course there are others. The exploit was used on a generic distro > during a security contest that distro is Ubuntu. That distro will > never provide a module autoloading restriction by default to not harm > it's users. Consumers or containers/sandboxes then can run their > confined apps using such facilities. > > These bugs will stay in embedded devices that use these generic > distros for ever. The DCCP CVE-2017-6074 exploit: http://seclists.org/oss-sec/2017/q1/503 Well, pretty sure there is more... the bugs are real, as their exploits. Anyway I think these features can coexist as they are optional, and most process trees protections can get along by design. -- tixxdz