[PATCH] UBUNTU: SAUCE: [net] disable autoloading of rare protocols
Tim Gardner
tcanonical at tpi.com
Wed Jan 12 21:41:21 UTC 2011
On 01/11/2011 05:39 PM, Kees Cook wrote:
> On Tue, Jan 11, 2011 at 05:22:21PM -0600, Tim Gardner wrote:
>> On 01/11/2011 04:54 PM, Kees Cook wrote:
>>> This disables the autoloading of several rare network protocols
>>> in an effort to reduce exposure to potential future security
>>> issues with them, as recently demonstrated with RDS and Econet.
>
> It's been recommended to possibly add can, rose, ax25, netrom, and phonet
> to this list too.
>
>> I'm not entirely opposed (having followed the original discussion on
>> netdev). Could you describe for this list under what circumstances a
>> protocol module is loaded and what DOSs and vulnerabilities this
>> will prevent? I assume there are both user space and network receive
>> side issues.
>
> AFAIU, it is strictly a local issue. A process running:
>
> socket(AF_$SOMETHING, ...)
>
> will trigger the kernel to autoload "net-pf-NNN". For a complete list of these
> aliases, see the output:
>
> egrep "net-pf-[0-9]+ " /lib/modules/$(uname -r)/modules.alias
>
> -Kees
>
Why don't we blacklist these modules instead of carrying more SAUCE patches?
--
Tim Gardner tim.gardner at canonical.com
More information about the kernel-team
mailing list