[PATCH] UBUNTU: SAUCE: [net] disable autoloading of rare protocols
Kees Cook
kees.cook at canonical.com
Tue Jan 11 23:39:50 UTC 2011
On Tue, Jan 11, 2011 at 05:22:21PM -0600, Tim Gardner wrote:
> On 01/11/2011 04:54 PM, Kees Cook wrote:
> >This disables the autoloading of several rare network protocols
> >in an effort to reduce exposure to potential future security
> >issues with them, as recently demonstrated with RDS and Econet.
It's been recommended to possibly add can, rose, ax25, netrom, and phonet
to this list too.
> I'm not entirely opposed (having followed the original discussion on
> netdev). Could you describe for this list under what circumstances a
> protocol module is loaded and what DOSs and vulnerabilities this
> will prevent? I assume there are both user space and network receive
> side issues.
AFAIU, it is strictly a local issue. A process running:
socket(AF_$SOMETHING, ...)
will trigger the kernel to autoload "net-pf-NNN". For a complete list of these
aliases, see the output:
egrep "net-pf-[0-9]+ " /lib/modules/$(uname -r)/modules.alias
-Kees
--
Kees Cook
Ubuntu Security Team
More information about the kernel-team
mailing list