On Tue, Nov 28, 2017 at 12:12 PM, Linus Torvalds
[off-list ref] wrote:

On Tue, Nov 28, 2017 at 12:08 PM, Kees Cook [off-list ref] wrote:

quoted

Linus, are you okay with this series if the global sysctl gets dropped?

So really, it's not the "global sysctl" as much as the "global
request_module()" that annoys me.

I'll happily take the request_module_cap() part and the thing that
makes networking use that.

But the flag that we have to default to off because it breaks every
single box otherwise? No. It doesn't  matter if it's one single global
or just a "global behavior for request_module() for this process" at
that point, it's still a pointless security flag that is opt-in.

To be clear: such a flag wouldn't doesn't break every system, but I
understand your concern.

So what's the right path forward for allowing a way to block
autoloading? Separate existing request_module() calls into "must be
privileged" and "can be unpriv" first, then rework the series to deal
with the "unpriv okay" subset?

-Kees

-- 
Kees Cook
Pixel Security
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html