[PATCH] UBUNTU: SAUCE: [net] disable autoloading of rare protocols

Tim Gardner tcanonical at tpi.com
Wed Jan 12 21:41:21 UTC 2011

On 01/11/2011 05:39 PM, Kees Cook wrote:
> On Tue, Jan 11, 2011 at 05:22:21PM -0600, Tim Gardner wrote:
>> On 01/11/2011 04:54 PM, Kees Cook wrote:
>>> This disables the autoloading of several rare network protocols
>>> in an effort to reduce exposure to potential future security
>>> issues with them, as recently demonstrated with RDS and Econet.
> It's been recommended to possibly add can, rose, ax25, netrom, and phonet
> to this list too.
>> I'm not entirely opposed (having followed the original discussion on
>> netdev). Could you describe for this list under what circumstances a
>> protocol module is loaded and what DOSs and vulnerabilities this
>> will prevent? I assume there are both user space and network receive
>> side issues.
> AFAIU, it is strictly a local issue. A process running:
>      socket(AF_$SOMETHING, ...)
> will trigger the kernel to autoload "net-pf-NNN". For a complete list of these
> aliases, see the output:
>      egrep "net-pf-[0-9]+ " /lib/modules/$(uname -r)/modules.alias
> -Kees

Why don't we blacklist these modules instead of carrying more SAUCE patches?

Tim Gardner tim.gardner at canonical.com

More information about the kernel-team mailing list