Re: Security: auto-loading protocol modules

To: Debian kernel maintainers <debian-kernel@lists.debian.org>
Subject: Re: Security: auto-loading protocol modules
From: dann frazier <dannf@dannf.org>
Date: Thu, 18 Nov 2010 00:20:50 -0700
Message-id: <[🔎] 20101118072049.GT19165@dannf.org>
In-reply-to: <[🔎] 1290051216.3818.57.camel@localhost>
References: <[🔎] 1290051216.3818.57.camel@localhost>

On Thu, Nov 18, 2010 at 03:33:36AM +0000, Ben Hutchings wrote:
> Unlike device or filesystem modules, most protocol modules may be auto-
> loaded on behalf of local users without any special capabilities.  This
> means that security vulnerabilities in such protocol modules may be
> exploitable by local users even on a system where there is no need for
> the protocol.
> 
> Protocol modules are requested via module aliases generated from the
> protocol-family, protocol and type numbers passed to socket().
> Administrators can of course blacklist the modules or disable their
> aliases, but there is an ever-growing list of protocols.  There has been
> some discussion upstream of providing a means to disable or restrict
> this auto-loading altogether, but this is currently unresolved.

I've been thinking about this as well, and I'd like to see us come up
with something. Its a shame to put so many users at added risk to
provide support for protocols used by just a fraction.

Removing aliases is certainly one way to do it. One problem with that
is that, if an admin intentionally wants to support a protocol, they
have to leave the module loaded at all times. Big problem? Probably
not.

Another way to do this would be to ship a default blacklist. This
seems like it takes the same amount of local config (instead of adding
to /etc/modules, you'd comment out a line in the blacklist file).

Personally, I've even considered adding dpkg filters to machines I
admin to just avoid having these modules (and others) installed at
all.

	-dann

> These are the changes in defined aliases between current stable and
> unstable kernels:
> 
> -alias net-pf-10 ipv6
> 
> This is now built-in.  
> 
> +alias net-pf-16-proto-13 ip6_queue
> +alias net-pf-16-proto-3 ip_queue
> 
> Netlink support for iptables/ip6tables.  This is not new code but
> auto-loading was only enabled in Linux 2.6.30.  Most use seems to be
> dependent on capable(CAP_NET_ADMIN).
> 
> +alias net-pf-21 rds
> 
> This has had several recent vulnerabilities.  Perhaps we should remove
> this alias?
> 
> +alias net-pf-35 phonet
> +alias net-pf-35-proto-2 pn_pep
> 
> I was unable to create AF_PHONET sockets, so I assume they can only be
> created if a suitable device exists.
> 
> +alias net-pf-36 af_802154
> 
> I have no idea of the security state of this.  I was able to create
> AF_IEEE802154 sockets on system with no suitable devices.
> 
> Ben.
>

Reply to:

References:
- Security: auto-loading protocol modules
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Re: [PATCH] remove debian/linux-support-* on clean
Next by Date: Bug#599823: linux-2.6: XEN and NFS causes duplicate filenames with large directories
Previous by thread: Security: auto-loading protocol modules
Next by thread: Re: Security: auto-loading protocol modules
Index(es):
- Date
- Thread