Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752213AbZJWO7w (ORCPT ); Fri, 23 Oct 2009 10:59:52 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752159AbZJWO7v (ORCPT ); Fri, 23 Oct 2009 10:59:51 -0400 Received: from ozlabs.org ([203.10.76.45]:43711 "EHLO ozlabs.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752034AbZJWO7u (ORCPT ); Fri, 23 Oct 2009 10:59:50 -0400 From: Rusty Russell To: Eric Paris Subject: Re: request_module vs. modprobe blacklist (and security subsystem implications) Date: Sat, 24 Oct 2009 01:29:52 +1030 User-Agent: KMail/1.11.2 (Linux/2.6.28-15-generic; KDE/4.2.2; i686; ; ) Cc: Alan Jenkins , linux-kernel@vger.kernel.org, arjan@infradead.org, randy.dunlap@oracle.com, andi@firstfloor.org, dhowells@redhat.com, akpm@linux-foundation.org References: <1256137348.4443.39.camel@dhcp231-106.rdu.redhat.com> <200910231946.39174.rusty@rustcorp.com.au> <1256307830.4443.158.camel@dhcp231-106.rdu.redhat.com> In-Reply-To: <1256307830.4443.158.camel@dhcp231-106.rdu.redhat.com> MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200910240129.53622.rusty@rustcorp.com.au> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1639 Lines: 43 On Sat, 24 Oct 2009 12:53:50 am Eric Paris wrote: > On Fri, 2009-10-23 at 19:46 +1030, Rusty Russell wrote: > > On Fri, 23 Oct 2009 01:00:22 am Eric Paris wrote: > > > > If a userspace program tries some security exploit that has been closed, do > > > > you want to warn about it? Because that seems to be the question here. > > > > > > I say yes. Knowing that malicious activity is taking place, even if it > > > didn't hurt anything is useful. > > > > Hi Eric, > > > > Your proposal is troubling for three reasons: > > > > 1) You would disable logging for things you actually want logged. > > I would? Yep, admin disables loading of ipx to prevent hole. Now, you no longer get logging notification. > > 2) What *actually* happens when ssh tries to load ipv6 is that > > "modprobe net-pf-10" gets called. > > 3) Containing modprobe behavior in one set of config files is really nice. > > It is it also means that we, somewhat regularly call userspace > needlessly and there is nothing an admin can do to stop it. Yes, but that's nothing to do with SELinux; we exec modprobe for no effect. Yet I've yet to see a report that this is a performance issue. These brains are in userspace for a reason. > But it appears you disagree that fixing that problem is worth it, and I > don't feel strongly enough to keep arguing :) But we have learnt something, at least! Cheers, Rusty. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/