Question regarding legitimate loading of kernel modules during runtime

Question regarding legitimate loading of kernel modules during runtime

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 570 bytes --]

Hello development folks,

just to make sure I am not about to submit another breaking patch: Is there any
legitimate reason why a non-privileged user shall load kernel modules on an IPFire
machine during its runtime?

Personally, I am only aware of some connection tracking stuff, but these require
a reboot, thus being out of scope. Unless I overlooked something else, I would like
to file a patch turning dev.tty.ldisc_autoload to 0. :-)

(Further information is available at https://lkml.org/lkml/2019/4/15/890)

Thanks, and best regards,
Peter Müller

[PATCH] sysctl.conf: prevent autoloading of TTY line disciplines

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1372 bytes --]

Malicious/vulnerable TTY line disciplines have been subject of some
kernel exploits such as CVE-2017-2636, and since - to put it in Greg
Kroah-Hatrman's words - we do not "trust the userspace to do the right
thing", this reduces local kernel attack surface.

Further, there is no legitimate reason why an unprivileged user should
load kernel modules during runtime, anyway.

See also:
- https://lkml.org/lkml/2019/4/15/890
- https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html

Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
Cc: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/etc/sysctl.conf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index d48c7734e..b5ede15ed 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -39,6 +39,10 @@ net.bridge.bridge-nf-call-ip6tables = 0
 net.bridge.bridge-nf-call-iptables = 0
 net.bridge.bridge-nf-call-arptables = 0
 
+# Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers
+# from loading vulnerable line disciplines with the TIOCSETD ioctl.
+dev.tty.ldisc_autoload = 0
+
 # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
 kernel.kptr_restrict = 2
 
-- 
2.26.2

Re: [PATCH] sysctl.conf: prevent autoloading of TTY line disciplines

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1574 bytes --]

This does not exist before kernel 5.1.

-Michael

> On 5 Oct 2020, at 20:45, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Malicious/vulnerable TTY line disciplines have been subject of some
> kernel exploits such as CVE-2017-2636, and since - to put it in Greg
> Kroah-Hatrman's words - we do not "trust the userspace to do the right
> thing", this reduces local kernel attack surface.
> 
> Further, there is no legitimate reason why an unprivileged user should
> load kernel modules during runtime, anyway.
> 
> See also:
> - https://lkml.org/lkml/2019/4/15/890
> - https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
> 
> Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
> Cc: Michael Tremer <michael.tremer(a)ipfire.org>
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/etc/sysctl.conf | 4 ++++
> 1 file changed, 4 insertions(+)
> 
> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
> index d48c7734e..b5ede15ed 100644
> --- a/config/etc/sysctl.conf
> +++ b/config/etc/sysctl.conf
> @@ -39,6 +39,10 @@ net.bridge.bridge-nf-call-ip6tables = 0
> net.bridge.bridge-nf-call-iptables = 0
> net.bridge.bridge-nf-call-arptables = 0
> 
> +# Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers
> +# from loading vulnerable line disciplines with the TIOCSETD ioctl.
> +dev.tty.ldisc_autoload = 0
> +
> # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
> kernel.kptr_restrict = 2
> 
> -- 
> 2.26.2

Re: [PATCH] sysctl.conf: prevent autoloading of TTY line disciplines

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1826 bytes --]

Hello Michael,

grmpf, overlooked some patched distribution kernel again. :-/

Sorry for the noise - I will keep the patch queued and wait for kernel 5.9 ...

Thanks, and best regards,
Peter Müller


> This does not exist before kernel 5.1.
> 
> -Michael
> 
>> On 5 Oct 2020, at 20:45, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>
>> Malicious/vulnerable TTY line disciplines have been subject of some
>> kernel exploits such as CVE-2017-2636, and since - to put it in Greg
>> Kroah-Hatrman's words - we do not "trust the userspace to do the right
>> thing", this reduces local kernel attack surface.
>>
>> Further, there is no legitimate reason why an unprivileged user should
>> load kernel modules during runtime, anyway.
>>
>> See also:
>> - https://lkml.org/lkml/2019/4/15/890
>> - https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
>>
>> Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
>> Cc: Michael Tremer <michael.tremer(a)ipfire.org>
>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>> ---
>> config/etc/sysctl.conf | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
>> index d48c7734e..b5ede15ed 100644
>> --- a/config/etc/sysctl.conf
>> +++ b/config/etc/sysctl.conf
>> @@ -39,6 +39,10 @@ net.bridge.bridge-nf-call-ip6tables = 0
>> net.bridge.bridge-nf-call-iptables = 0
>> net.bridge.bridge-nf-call-arptables = 0
>>
>> +# Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers
>> +# from loading vulnerable line disciplines with the TIOCSETD ioctl.
>> +dev.tty.ldisc_autoload = 0
>> +
>> # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
>> kernel.kptr_restrict = 2
>>
>> -- 
>> 2.26.2
> 

Re: Question regarding legitimate loading of kernel modules during runtime

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 933 bytes --]

Hello,

We have talked about this on the phone, but just for the record:

No, there is no reason for this. We load kernel modules at runtime, but only root does that. AFAIK there is no unprivileged user loading anything whatsoever.

-Michael

> On 5 Oct 2020, at 17:07, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Hello development folks,
> 
> just to make sure I am not about to submit another breaking patch: Is there any
> legitimate reason why a non-privileged user shall load kernel modules on an IPFire
> machine during its runtime?
> 
> Personally, I am only aware of some connection tracking stuff, but these require
> a reboot, thus being out of scope. Unless I overlooked something else, I would like
> to file a patch turning dev.tty.ldisc_autoload to 0. :-)
> 
> (Further information is available at https://lkml.org/lkml/2019/4/15/890)
> 
> Thanks, and best regards,
> Peter Müller

Re: [PATCH] sysctl.conf: prevent autoloading of TTY line disciplines

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 2377 bytes --]

Hello Michael,

it seems as the kernel folks backported this into 4.14.x by now:

> [root(a)maverick ~]# uname -a
> Linux maverick 4.14.212-ipfire #1 SMP Wed Dec 16 12:01:25 GMT 2020 x86_64 Intel(R) Celeron(R) CPU N3150 @ 1.60GHz GenuineIntel GNU/Linux
> [root(a)maverick ~]# sysctl dev.tty.ldisc_autoload
> dev.tty.ldisc_autoload = 1

Therefore, I would like to see this patch being merged - that is, if it is still applicable. :-)

Thanks, and best regards,
Peter Müller


> Hello Michael,
> 
> grmpf, overlooked some patched distribution kernel again. :-/
> 
> Sorry for the noise - I will keep the patch queued and wait for kernel 5.9 ...
> 
> Thanks, and best regards,
> Peter Müller
> 
> 
>> This does not exist before kernel 5.1.
>>
>> -Michael
>>
>>> On 5 Oct 2020, at 20:45, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>>
>>> Malicious/vulnerable TTY line disciplines have been subject of some
>>> kernel exploits such as CVE-2017-2636, and since - to put it in Greg
>>> Kroah-Hatrman's words - we do not "trust the userspace to do the right
>>> thing", this reduces local kernel attack surface.
>>>
>>> Further, there is no legitimate reason why an unprivileged user should
>>> load kernel modules during runtime, anyway.
>>>
>>> See also:
>>> - https://lkml.org/lkml/2019/4/15/890
>>> - https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
>>>
>>> Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
>>> Cc: Michael Tremer <michael.tremer(a)ipfire.org>
>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>>> ---
>>> config/etc/sysctl.conf | 4 ++++
>>> 1 file changed, 4 insertions(+)
>>>
>>> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
>>> index d48c7734e..b5ede15ed 100644
>>> --- a/config/etc/sysctl.conf
>>> +++ b/config/etc/sysctl.conf
>>> @@ -39,6 +39,10 @@ net.bridge.bridge-nf-call-ip6tables = 0
>>> net.bridge.bridge-nf-call-iptables = 0
>>> net.bridge.bridge-nf-call-arptables = 0
>>>
>>> +# Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers
>>> +# from loading vulnerable line disciplines with the TIOCSETD ioctl.
>>> +dev.tty.ldisc_autoload = 0
>>> +
>>> # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
>>> kernel.kptr_restrict = 2
>>>
>>> -- 
>>> 2.26.2
>>

Re: [PATCH] sysctl.conf: prevent autoloading of TTY line disciplines

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2567 bytes --]

Okay, merged.

> On 2 Apr 2021, at 20:30, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Hello Michael,
> 
> it seems as the kernel folks backported this into 4.14.x by now:
> 
>> [root(a)maverick ~]# uname -a
>> Linux maverick 4.14.212-ipfire #1 SMP Wed Dec 16 12:01:25 GMT 2020 x86_64 Intel(R) Celeron(R) CPU N3150 @ 1.60GHz GenuineIntel GNU/Linux
>> [root(a)maverick ~]# sysctl dev.tty.ldisc_autoload
>> dev.tty.ldisc_autoload = 1
> 
> Therefore, I would like to see this patch being merged - that is, if it is still applicable. :-)
> 
> Thanks, and best regards,
> Peter Müller
> 
> 
>> Hello Michael,
>> 
>> grmpf, overlooked some patched distribution kernel again. :-/
>> 
>> Sorry for the noise - I will keep the patch queued and wait for kernel 5.9 ...
>> 
>> Thanks, and best regards,
>> Peter Müller
>> 
>> 
>>> This does not exist before kernel 5.1.
>>> 
>>> -Michael
>>> 
>>>> On 5 Oct 2020, at 20:45, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>>> 
>>>> Malicious/vulnerable TTY line disciplines have been subject of some
>>>> kernel exploits such as CVE-2017-2636, and since - to put it in Greg
>>>> Kroah-Hatrman's words - we do not "trust the userspace to do the right
>>>> thing", this reduces local kernel attack surface.
>>>> 
>>>> Further, there is no legitimate reason why an unprivileged user should
>>>> load kernel modules during runtime, anyway.
>>>> 
>>>> See also:
>>>> - https://lkml.org/lkml/2019/4/15/890
>>>> - https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
>>>> 
>>>> Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
>>>> Cc: Michael Tremer <michael.tremer(a)ipfire.org>
>>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>>>> ---
>>>> config/etc/sysctl.conf | 4 ++++
>>>> 1 file changed, 4 insertions(+)
>>>> 
>>>> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
>>>> index d48c7734e..b5ede15ed 100644
>>>> --- a/config/etc/sysctl.conf
>>>> +++ b/config/etc/sysctl.conf
>>>> @@ -39,6 +39,10 @@ net.bridge.bridge-nf-call-ip6tables = 0
>>>> net.bridge.bridge-nf-call-iptables = 0
>>>> net.bridge.bridge-nf-call-arptables = 0
>>>> 
>>>> +# Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers
>>>> +# from loading vulnerable line disciplines with the TIOCSETD ioctl.
>>>> +dev.tty.ldisc_autoload = 0
>>>> +
>>>> # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
>>>> kernel.kptr_restrict = 2
>>>> 
>>>> -- 
>>>> 2.26.2
>>>