From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752672AbdK3GvW (ORCPT ); Thu, 30 Nov 2017 01:51:22 -0500 Received: from mail-it0-f67.google.com ([209.85.214.67]:46590 "EHLO mail-it0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751522AbdK3GvU (ORCPT ); Thu, 30 Nov 2017 01:51:20 -0500 X-Google-Smtp-Source: AGs4zMYupRWRHH/Wnn28aek0wOYSm5S+wX4u49WIigYZxJJ4bYHySvnEm9MToD80JZ2pxn/xaHllhw== Message-ID: <1512024677.1374.168.camel@gmail.com> Subject: Re: [kernel-hardening] Re: [PATCH v5 next 5/5] net: modules: use request_module_cap() to load 'netdev-%s' modules From: Daniel Micay To: Linus Torvalds , Kees Cook Cc: Djalal Harouni , Jessica Yu , LSM List , Linux Kernel Mailing List , "kernel-hardening@lists.openwall.com" Date: Thu, 30 Nov 2017 01:51:17 -0500 In-Reply-To: References: <1511803118-2552-1-git-send-email-tixxdz@gmail.com> <1511803118-2552-6-git-send-email-tixxdz@gmail.com> <1100603534.56586.1511871419952@ichabod.co-bxl> <20171128193243.4fymnjk7fplqw62x@thunk.org> <708003731.69563.1511905898471@ichabod.co-bxl> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.2 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > And once you disable it by default, and it becomes purely opt-in, that > means that nothing will change for most cases. Some embedded people > that do their own thing (ie Android) might change, but normal > distributions probably won't. > > Yes, Android may be 99% of the users, and yes, the embedded world in > general needs to be secure, but I'd still like this to be something > that helps _everybody_. Android devices won't get much benefit since they ship a tiny set of modules chosen for the device. The kernels already get very stripped down to the bare minimum vs. enabling every feature and driver available and shipping it all by default on a traditional distribution. Lots of potential module attack surface also gets eliminated by default via their SELinux whitelists for /dev, /sys, /proc, debugfs, ioctl commands, etc. The global seccomp whitelist might be relevant in some cases too. Android devices like to build everything into the kernel too, so even if they weren't using a module this feature wouldn't usually help them. It would need to work like this existing sysctl: net.ipv4.tcp_available_congestion_control = cubic reno lp i.e. whitelists for functionality offered by the modules, not just whether they can be loaded. From mboxrd@z Thu Jan 1 00:00:00 1970 From: danielmicay@gmail.com (Daniel Micay) Date: Thu, 30 Nov 2017 01:51:17 -0500 Subject: [kernel-hardening] Re: [PATCH v5 next 5/5] net: modules: use request_module_cap() to load 'netdev-%s' modules In-Reply-To: References: <1511803118-2552-1-git-send-email-tixxdz@gmail.com> <1511803118-2552-6-git-send-email-tixxdz@gmail.com> <1100603534.56586.1511871419952@ichabod.co-bxl> <20171128193243.4fymnjk7fplqw62x@thunk.org> <708003731.69563.1511905898471@ichabod.co-bxl> Message-ID: <1512024677.1374.168.camel@gmail.com> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org > And once you disable it by default, and it becomes purely opt-in, that > means that nothing will change for most cases. Some embedded people > that do their own thing (ie Android) might change, but normal > distributions probably won't. > > Yes, Android may be 99% of the users, and yes, the embedded world in > general needs to be secure, but I'd still like this to be something > that helps _everybody_. Android devices won't get much benefit since they ship a tiny set of modules chosen for the device. The kernels already get very stripped down to the bare minimum vs. enabling every feature and driver available and shipping it all by default on a traditional distribution. Lots of potential module attack surface also gets eliminated by default via their SELinux whitelists for /dev, /sys, /proc, debugfs, ioctl commands, etc. The global seccomp whitelist might be relevant in some cases too. Android devices like to build everything into the kernel too, so even if they weren't using a module this feature wouldn't usually help them. It would need to work like this existing sysctl: net.ipv4.tcp_available_congestion_control = cubic reno lp i.e. whitelists for functionality offered by the modules, not just whether they can be loaded. -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <1512024677.1374.168.camel@gmail.com> From: Daniel Micay Date: Thu, 30 Nov 2017 01:51:17 -0500 In-Reply-To: References: <1511803118-2552-1-git-send-email-tixxdz@gmail.com> <1511803118-2552-6-git-send-email-tixxdz@gmail.com> <1100603534.56586.1511871419952@ichabod.co-bxl> <20171128193243.4fymnjk7fplqw62x@thunk.org> <708003731.69563.1511905898471@ichabod.co-bxl> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: Re: [kernel-hardening] Re: [PATCH v5 next 5/5] net: modules: use request_module_cap() to load 'netdev-%s' modules To: Linus Torvalds , Kees Cook Cc: Djalal Harouni , Jessica Yu , LSM List , Linux Kernel Mailing List , "kernel-hardening@lists.openwall.com" List-ID: > And once you disable it by default, and it becomes purely opt-in, that > means that nothing will change for most cases. Some embedded people > that do their own thing (ie Android) might change, but normal > distributions probably won't. > > Yes, Android may be 99% of the users, and yes, the embedded world in > general needs to be secure, but I'd still like this to be something > that helps _everybody_. Android devices won't get much benefit since they ship a tiny set of modules chosen for the device. The kernels already get very stripped down to the bare minimum vs. enabling every feature and driver available and shipping it all by default on a traditional distribution. Lots of potential module attack surface also gets eliminated by default via their SELinux whitelists for /dev, /sys, /proc, debugfs, ioctl commands, etc. The global seccomp whitelist might be relevant in some cases too. Android devices like to build everything into the kernel too, so even if they weren't using a module this feature wouldn't usually help them. It would need to work like this existing sysctl: net.ipv4.tcp_available_congestion_control = cubic reno lp i.e. whitelists for functionality offered by the modules, not just whether they can be loaded.