Malicious/vulnerable TTY line disciplines have been subject of some kernel exploits such as CVE-2017-2636, and since - to put it in Greg Kroah-Hatrman's words - we do not "trust the userspace to do the right thing", this reduces local kernel attack surface.
Further, there is no legitimate reason why an unprivileged user should load kernel modules during runtime, anyway.
See also: - https://lkml.org/lkml/2019/4/15/890 - https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
Cc: Arne Fitzenreiter arne.fitzenreiter@ipfire.org Cc: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/etc/sysctl.conf | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index d48c7734e..b5ede15ed 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -39,6 +39,10 @@ net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0
+# Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers +# from loading vulnerable line disciplines with the TIOCSETD ioctl. +dev.tty.ldisc_autoload = 0 + # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 2