From: "Peter Müller" <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] sysctl.conf: prevent autoloading of TTY line disciplines
Date: Mon, 05 Oct 2020 19:45:31 +0000 [thread overview]
Message-ID: <53403b50-5876-58e1-cbc9-7e74badf365d@ipfire.org> (raw)
In-Reply-To: <7e85496c-a7af-eb2d-b9ac-c6a5efcc69a5@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 1372 bytes --]
Malicious/vulnerable TTY line disciplines have been subject of some
kernel exploits such as CVE-2017-2636, and since - to put it in Greg
Kroah-Hatrman's words - we do not "trust the userspace to do the right
thing", this reduces local kernel attack surface.
Further, there is no legitimate reason why an unprivileged user should
load kernel modules during runtime, anyway.
See also:
- https://lkml.org/lkml/2019/4/15/890
- https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
Cc: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
config/etc/sysctl.conf | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index d48c7734e..b5ede15ed 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -39,6 +39,10 @@ net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
+# Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers
+# from loading vulnerable line disciplines with the TIOCSETD ioctl.
+dev.tty.ldisc_autoload = 0
+
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
kernel.kptr_restrict = 2
--
2.26.2
next prev parent reply other threads:[~2020-10-05 19:45 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-05 16:07 Question regarding legitimate loading of kernel modules during runtime Peter Müller
2020-10-05 19:45 ` Peter Müller [this message]
2020-10-06 12:26 ` [PATCH] sysctl.conf: prevent autoloading of TTY line disciplines Michael Tremer
2020-10-06 13:03 ` Peter Müller
2021-04-02 19:30 ` Peter Müller
2021-04-06 10:15 ` Michael Tremer
2020-10-07 8:22 ` Question regarding legitimate loading of kernel modules during runtime Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53403b50-5876-58e1-cbc9-7e74badf365d@ipfire.org \
--to=peter.mueller@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox