Re: Security: auto-loading protocol modules
On Thu, Nov 18, 2010 at 03:33:36AM +0000, Ben Hutchings wrote:
> Unlike device or filesystem modules, most protocol modules may be auto-
> loaded on behalf of local users without any special capabilities. This
> means that security vulnerabilities in such protocol modules may be
> exploitable by local users even on a system where there is no need for
> the protocol.
>
> Protocol modules are requested via module aliases generated from the
> protocol-family, protocol and type numbers passed to socket().
> Administrators can of course blacklist the modules or disable their
> aliases, but there is an ever-growing list of protocols. There has been
> some discussion upstream of providing a means to disable or restrict
> this auto-loading altogether, but this is currently unresolved.
I've been thinking about this as well, and I'd like to see us come up
with something. Its a shame to put so many users at added risk to
provide support for protocols used by just a fraction.
Removing aliases is certainly one way to do it. One problem with that
is that, if an admin intentionally wants to support a protocol, they
have to leave the module loaded at all times. Big problem? Probably
not.
Another way to do this would be to ship a default blacklist. This
seems like it takes the same amount of local config (instead of adding
to /etc/modules, you'd comment out a line in the blacklist file).
Personally, I've even considered adding dpkg filters to machines I
admin to just avoid having these modules (and others) installed at
all.
-dann
> These are the changes in defined aliases between current stable and
> unstable kernels:
>
> -alias net-pf-10 ipv6
>
> This is now built-in.
>
> +alias net-pf-16-proto-13 ip6_queue
> +alias net-pf-16-proto-3 ip_queue
>
> Netlink support for iptables/ip6tables. This is not new code but
> auto-loading was only enabled in Linux 2.6.30. Most use seems to be
> dependent on capable(CAP_NET_ADMIN).
>
> +alias net-pf-21 rds
>
> This has had several recent vulnerabilities. Perhaps we should remove
> this alias?
>
> +alias net-pf-35 phonet
> +alias net-pf-35-proto-2 pn_pep
>
> I was unable to create AF_PHONET sockets, so I assume they can only be
> created if a suitable device exists.
>
> +alias net-pf-36 af_802154
>
> I have no idea of the security state of this. I was able to create
> AF_IEEE802154 sockets on system with no suitable devices.
>
> Ben.
>
Reply to: