xorl %eax, %eax

Linux kernel Disable Auto-Loading of Kernel Modules

with 2 comments

Yesterday, I saw this email and I was like WTF?!
The patch is to simply comment out MODULE_ALIAS_NETPROTO() macros of RDS and ECONET protocols but seriously… Is this a security patch?
What? Linux developers are too cool for a simple patch such as grsecurity’s MODHARDEN?
If someone was about to own a system using a local root on some exotic protocol family he probably have done this before his bug was killed. So, the aim of this patch is to avoid other vulnerabilities on those two modules by completely disabling them. Then what’s the purpose of compiling them and keeping them in Linux kernel?
I don’t like spender (and he doesn’t like me either) but that has nothing to do with his MODHARDEN patch which is a very sane approach for a mitigation strategy against such vulnerabilities.

Written by xorl

December 1, 2010 at 07:59

Posted in linux, security

2 Responses

Subscribe to comments with RSS.

  1. While preventing auto-loading would be ideal from a security perspective, there are numerous problems with disabling it entirely – it breaks many distros by default. Blacklisting (or better yet, whitelisting) modules is a good step in limiting the attack surface. The modules are compiled so an administrator can still explicitly load them if he wants to actually use them, which is the right approach.

    Dan Rosenberg

    December 1, 2010 at 08:50

  2. How about a default of enabled auto-loading managed through procfs?
    I personally find black/white-listing useless.


    December 1, 2010 at 09:15

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s