LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Can't disable unused filesystems

Can't disable unused filesystems

Posted Feb 24, 2013 15:40 UTC (Sun) by spender (subscriber, #23067)
In reply to: Can't disable unused filesystems by jmorris42
Parent article: A story of three kernel vulnerabilities

Grsecurity can do this. It happily prevents udisks from auto-loading modules for whatever filesystems on behalf of unprivileged users. It's unfortunate though that Linux is moving in this direction (of security decisions being made in userland brokers) as it hinders the ability to enforce more secure mandatory security policies.

Grsecurity will also prevent mount from being able to load arbitrary kernel modules (it will be restricted to modules that register a filesystem).

This is a subset of the full GRKERNSEC_MODHARDEN feature which prevents unprivileged users from being able to auto-load kernel modules, without having to implement a posteriori blacklists.

-Brad

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds