From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] sysctl.conf: prevent autoloading of TTY line disciplines Date: Tue, 06 Oct 2020 13:26:03 +0100 Message-ID: <75BC505A-7F01-435B-B865-4E575684FC86@ipfire.org> In-Reply-To: <53403b50-5876-58e1-cbc9-7e74badf365d@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8669424525310273119==" List-Id: --===============8669424525310273119== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This does not exist before kernel 5.1. -Michael > On 5 Oct 2020, at 20:45, Peter M=C3=BCller wro= te: >=20 > Malicious/vulnerable TTY line disciplines have been subject of some > kernel exploits such as CVE-2017-2636, and since - to put it in Greg > Kroah-Hatrman's words - we do not "trust the userspace to do the right > thing", this reduces local kernel attack surface. >=20 > Further, there is no legitimate reason why an unprivileged user should > load kernel modules during runtime, anyway. >=20 > See also: > - https://lkml.org/lkml/2019/4/15/890 > - https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html >=20 > Cc: Arne Fitzenreiter > Cc: Michael Tremer > Signed-off-by: Peter M=C3=BCller > --- > config/etc/sysctl.conf | 4 ++++ > 1 file changed, 4 insertions(+) >=20 > diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf > index d48c7734e..b5ede15ed 100644 > --- a/config/etc/sysctl.conf > +++ b/config/etc/sysctl.conf > @@ -39,6 +39,10 @@ net.bridge.bridge-nf-call-ip6tables =3D 0 > net.bridge.bridge-nf-call-iptables =3D 0 > net.bridge.bridge-nf-call-arptables =3D 0 >=20 > +# Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unpri= vileged attackers > +# from loading vulnerable line disciplines with the TIOCSETD ioctl. > +dev.tty.ldisc_autoload =3D 0 > + > # Try to keep kernel address exposures out of various /proc files (kallsyms= , modules, etc). > kernel.kptr_restrict =3D 2 >=20 > --=20 > 2.26.2 --===============8669424525310273119==--