To: Eric Paris <eparis@redhat.com>
Cc: linux-kernel@vger.kernel.org, arjan@infradead.org, randy.dunlap@oracle.com,
       rusty@rustcorp.com.au, andi@firstfloor.org, dhowells@redhat.com,
       akpm@linux-foundation.org
Subject: Re: request_module vs. modprobe blacklist (and security subsystem implications)
References: <1256137348.4443.39.camel@dhcp231-106.rdu.redhat.com>
From: ebiederm@xmission.com (Eric W. Biederman)
Date: Wed, 21 Oct 2009 18:12:38 -0700
In-Reply-To: <1256137348.4443.39.camel@dhcp231-106.rdu.redhat.com> (Eric Paris's message of "Wed\, 21 Oct 2009 11\:02\:28 -0400")
Message-ID: <m14opss03d.fsf@fess.ebiederm.org>
User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1120
Lines: 26

Eric Paris <eparis@redhat.com> writes:

> I recently added a new LSM hook into __request_module(),
> security_kernel_module_request().  This new hook checks if a process
> should have permission to trigger the loading of a kernel module.  The
> attack vector imagined was that some module (IPX for example) has a
> vulnerability.  An attack program (which doesn't have permission to load
> the IPX module directly) might be able to get the networking stack to
> try to autoload the module.  Once loaded the attack program could then
> use the larger surface area to exploit the kernel.
>
> We have found that many users disable the IPv6 module by setting their
> modprobe config to look like:
>
> blacklist ipv6
> install ipv6 /bin/true

They need to be using /proc/sys/net/ipv6/conf/*/disable_ipv6 instead.
As the above scenario keeps the bonding driver from loading.

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/