Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading... | netdev

[PATCH v4 next 0/3] modules: automatic module loading restrictions · Djalal Harouni <hidden> · 2017-05-22
[PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument · Djalal Harouni <hidden> · 2017-05-22
Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument · Kees Cook <hidden> · 2017-05-22
Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument · Djalal Harouni <hidden> · 2017-05-23
Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument · Kees Cook <hidden> · 2017-05-23
Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument · Djalal Harouni <hidden> · 2017-05-24
Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument · Kees Cook <hidden> · 2017-05-30
Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument · Djalal Harouni <hidden> · 2017-06-01
Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument · Kees Cook <hidden> · 2017-06-01
Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument · Djalal Harouni <hidden> · 2017-09-02
[PATCH v4 next 3/3] modules:capabilities: add a per-task modules auto-load mode · Djalal Harouni <hidden> · 2017-05-22
Re: [PATCH v4 next 3/3] modules:capabilities: add a per-task modules auto-load mode · kbuild test robot <hidden> · 2017-05-23
[PATCH v4 next 2/3] modules:capabilities: automatic module loading restriction · Djalal Harouni <hidden> · 2017-05-22
Re: [PATCH v4 next 2/3] modules:capabilities: automatic module loading restriction · Kees Cook <hidden> · 2017-05-22
Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions · Solar Designer <hidden> · 2017-05-22
Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions · Djalal Harouni <hidden> · 2017-05-22
Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions · Solar Designer <hidden> · 2017-05-22
Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions · Djalal Harouni <hidden> · 2017-05-22
Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions · Kees Cook <hidden> · 2017-05-22
Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions · Andy Lutomirski <luto@kernel.org> · 2017-05-22
Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions · Kees Cook <hidden> · 2017-05-22
Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions · Djalal Harouni <hidden> · 2017-05-23
Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions · Solar Designer <hidden> · 2017-05-23
Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions · Kees Cook <hidden> · 2017-05-23
Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions · Andy Lutomirski <luto@kernel.org> · 2017-05-23
Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions · Djalal Harouni <hidden> · 2017-05-24

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

From: Kees Cook <hidden>
Date: 2017-05-22 23:52:22
Also in: linux-api, linux-security-module, lkml

On Mon, May 22, 2017 at 4:38 PM, Andy Lutomirski [off-list ref] wrote:

I think that having the un-resettable mode is unnecessary.  We should
have option that disables loading modules entirely and cannot be
unset.  (That means no explicit loads and not implicit loads.)  Maybe
we already have this.  Otherwise, tightening caps needed for implicit
loads should just be a normal yes/no setting IMO.

Yup, /proc/sys/kernel/modules_disabled already does this.

-- 
Kees Cook
Pixel Security

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help