Why not remove the code? [LWN.net]

Why not remove the code?

Posted Dec 5, 2017 10:57 UTC (Tue) by NAR (subscriber, #1313)
Parent article: Restricting automatic kernel-module loading

I'm not sure I get the attack vector here. If the problem is that there is unmaintained code in the kernel that might be loaded by the user - why not remove the unmaintained code from the kernel instead? If there are legitimate users of the user-triggered kernel module autoloading, I don't see any solution that would not break their use cases. Sufficiently paranoid system administrators could have locked down their systems already by compiling everything into the kernel and disable module loading, couldn't they?

to post comments

Why not remove the code?

Posted Dec 8, 2017 15:14 UTC (Fri) by MarcB (subscriber, #101804) [Link] (1 responses)

The issue really isn't unmaintained code.

If you think about it, the current situation in Linux is really strange: Unprivileged users are not allowed to reconfigure an existing network protocol, for example to add an IP address. But they are allowed to enable a completely new protocol and expose its code to the network

Depending on the protocol, it might be completely auto-configuring, or it might just be a transport layer protocol on top an already configured protocol.

Even if everything is fine with this protocol's code, this seems very wrong to me. Only an administrator should be able to this. And it should not be necessary to use any blacklisting to prevent this, because combined with default distribution kernel configurations, that contain about everything, this is just absurd.

I like the approach suggested in https://lwn.net/Articles/740662/. With proper documentation, reasonable defaults and proper tools, this might work fine.

Permission to cause kernel modules to be loaded

Posted Dec 10, 2017 21:50 UTC (Sun) by giraffedata (guest, #1954) [Link]

If you think it's really strange that an unprivileged user has the power to get code added to the running kernel, you're looking at module loading the wrong way. That network protocol was already enabled; the code for it is part of the kernel installed on the computer. We just delay loading it into memory until it is needed, for reasons of efficiency.

We have to restrict a user's power to set an IP address because it affects other users, but letting the user use a network protocol, for his own messages, that no one else has used yet since boot isn't in the same category.

The concept of restricting automatic module loads to reduce the attack surface just takes advantage of that delayed loading we invented for efficiency to implement a version of the more general concept of requiring special permission to do anything, so that Trojan horses cannot exploit bugs in code the user has no need to run.