| Message ID | 53403b50-5876-58e1-cbc9-7e74badf365d@ipfire.org |
|---|---|
| State | Accepted |
| Commit | 4d622b7ebe9f3e049961afb3ad5b6f65a6ef47c7 |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4C4rgC0pwKz3x0j for <patchwork@web04.haj.ipfire.org>; Mon, 5 Oct 2020 19:45:43 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4C4rg94lMNzBC; Mon, 5 Oct 2020 19:45:41 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4C4rg92zPhz2y5K; Mon, 5 Oct 2020 19:45:41 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4C4rg82bPBz2xb4 for <development@lists.ipfire.org>; Mon, 5 Oct 2020 19:45:40 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 4C4rg63dfWzBC for <development@lists.ipfire.org>; Mon, 5 Oct 2020 19:45:37 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1601927139; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=u9iHF8KvOmgNv4IgPMRmvsLdlv4uj9+3ikMpg2ANGPw=; b=LDVX0n0QjCXp8+ckA1bJWdVifPaxRjN5uonh8zMv/kP9buxMcS6K6KlTXxgbz1ZW5g7pPc 3aIc6XVk9zotecCw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1601927139; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=u9iHF8KvOmgNv4IgPMRmvsLdlv4uj9+3ikMpg2ANGPw=; b=RTnvUY66k9q0e2xjRtWu2gAaE0SfW8on+EEPlrtA3sKQ2ZMd8++QWJaGAfot7i70KR1PHp AywmpoKG0B6iFplyStPXO3AXohXOksqtSODumD2/UiLT8oh7SowlA7FhRpBYlfhzegndpN ywiPK/womOrVuLo12wPrYrh2I2QZmH8Fi3ncClfRCU1WQDIMXG4SNcp7yWD9BioR3h/S+B UOeRciwSUIxI+cYQafMsx+BI8DRqv8r6w/DZIGLJpI4gmk7f/GZj1jMOObZos+7AvFLVrC qX+WiZl5iBzUoHnup+jE1qXeJfDWtXNhr5GcqCx3uksyBABGWSGO2jdPL0bnKA== Subject: [PATCH] sysctl.conf: prevent autoloading of TTY line disciplines To: development@lists.ipfire.org References: <7e85496c-a7af-eb2d-b9ac-c6a5efcc69a5@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org> Message-ID: <53403b50-5876-58e1-cbc9-7e74badf365d@ipfire.org> Date: Mon, 5 Oct 2020 19:45:31 +0000 MIME-Version: 1.0 In-Reply-To: <7e85496c-a7af-eb2d-b9ac-c6a5efcc69a5@ipfire.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
| Series |
sysctl.conf: prevent autoloading of TTY line disciplines
|
|
Commit Message
Peter Müller
Oct. 5, 2020, 7:45 p.m. UTC
Malicious/vulnerable TTY line disciplines have been subject of some
kernel exploits such as CVE-2017-2636, and since - to put it in Greg
Kroah-Hatrman's words - we do not "trust the userspace to do the right
thing", this reduces local kernel attack surface.
Further, there is no legitimate reason why an unprivileged user should
load kernel modules during runtime, anyway.
See also:
- https://lkml.org/lkml/2019/4/15/890
- https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
config/etc/sysctl.conf | 4 ++++
1 file changed, 4 insertions(+)
Comments
This does not exist before kernel 5.1. -Michael > On 5 Oct 2020, at 20:45, Peter Müller <peter.mueller@ipfire.org> wrote: > > Malicious/vulnerable TTY line disciplines have been subject of some > kernel exploits such as CVE-2017-2636, and since - to put it in Greg > Kroah-Hatrman's words - we do not "trust the userspace to do the right > thing", this reduces local kernel attack surface. > > Further, there is no legitimate reason why an unprivileged user should > load kernel modules during runtime, anyway. > > See also: > - https://lkml.org/lkml/2019/4/15/890 > - https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html > > Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> > Cc: Michael Tremer <michael.tremer@ipfire.org> > Signed-off-by: Peter Müller <peter.mueller@ipfire.org> > --- > config/etc/sysctl.conf | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf > index d48c7734e..b5ede15ed 100644 > --- a/config/etc/sysctl.conf > +++ b/config/etc/sysctl.conf > @@ -39,6 +39,10 @@ net.bridge.bridge-nf-call-ip6tables = 0 > net.bridge.bridge-nf-call-iptables = 0 > net.bridge.bridge-nf-call-arptables = 0 > > +# Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers > +# from loading vulnerable line disciplines with the TIOCSETD ioctl. > +dev.tty.ldisc_autoload = 0 > + > # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). > kernel.kptr_restrict = 2 > > -- > 2.26.2
Hello Michael, grmpf, overlooked some patched distribution kernel again. :-/ Sorry for the noise - I will keep the patch queued and wait for kernel 5.9 ... Thanks, and best regards, Peter Müller > This does not exist before kernel 5.1. > > -Michael > >> On 5 Oct 2020, at 20:45, Peter Müller <peter.mueller@ipfire.org> wrote: >> >> Malicious/vulnerable TTY line disciplines have been subject of some >> kernel exploits such as CVE-2017-2636, and since - to put it in Greg >> Kroah-Hatrman's words - we do not "trust the userspace to do the right >> thing", this reduces local kernel attack surface. >> >> Further, there is no legitimate reason why an unprivileged user should >> load kernel modules during runtime, anyway. >> >> See also: >> - https://lkml.org/lkml/2019/4/15/890 >> - https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html >> >> Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> >> Cc: Michael Tremer <michael.tremer@ipfire.org> >> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >> --- >> config/etc/sysctl.conf | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf >> index d48c7734e..b5ede15ed 100644 >> --- a/config/etc/sysctl.conf >> +++ b/config/etc/sysctl.conf >> @@ -39,6 +39,10 @@ net.bridge.bridge-nf-call-ip6tables = 0 >> net.bridge.bridge-nf-call-iptables = 0 >> net.bridge.bridge-nf-call-arptables = 0 >> >> +# Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers >> +# from loading vulnerable line disciplines with the TIOCSETD ioctl. >> +dev.tty.ldisc_autoload = 0 >> + >> # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). >> kernel.kptr_restrict = 2 >> >> -- >> 2.26.2 >
Hello Michael, it seems as the kernel folks backported this into 4.14.x by now: > [root@maverick ~]# uname -a > Linux maverick 4.14.212-ipfire #1 SMP Wed Dec 16 12:01:25 GMT 2020 x86_64 Intel(R) Celeron(R) CPU N3150 @ 1.60GHz GenuineIntel GNU/Linux > [root@maverick ~]# sysctl dev.tty.ldisc_autoload > dev.tty.ldisc_autoload = 1 Therefore, I would like to see this patch being merged - that is, if it is still applicable. :-) Thanks, and best regards, Peter Müller > Hello Michael, > > grmpf, overlooked some patched distribution kernel again. :-/ > > Sorry for the noise - I will keep the patch queued and wait for kernel 5.9 ... > > Thanks, and best regards, > Peter Müller > > >> This does not exist before kernel 5.1. >> >> -Michael >> >>> On 5 Oct 2020, at 20:45, Peter Müller <peter.mueller@ipfire.org> wrote: >>> >>> Malicious/vulnerable TTY line disciplines have been subject of some >>> kernel exploits such as CVE-2017-2636, and since - to put it in Greg >>> Kroah-Hatrman's words - we do not "trust the userspace to do the right >>> thing", this reduces local kernel attack surface. >>> >>> Further, there is no legitimate reason why an unprivileged user should >>> load kernel modules during runtime, anyway. >>> >>> See also: >>> - https://lkml.org/lkml/2019/4/15/890 >>> - https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html >>> >>> Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> >>> Cc: Michael Tremer <michael.tremer@ipfire.org> >>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >>> --- >>> config/etc/sysctl.conf | 4 ++++ >>> 1 file changed, 4 insertions(+) >>> >>> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf >>> index d48c7734e..b5ede15ed 100644 >>> --- a/config/etc/sysctl.conf >>> +++ b/config/etc/sysctl.conf >>> @@ -39,6 +39,10 @@ net.bridge.bridge-nf-call-ip6tables = 0 >>> net.bridge.bridge-nf-call-iptables = 0 >>> net.bridge.bridge-nf-call-arptables = 0 >>> >>> +# Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers >>> +# from loading vulnerable line disciplines with the TIOCSETD ioctl. >>> +dev.tty.ldisc_autoload = 0 >>> + >>> # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). >>> kernel.kptr_restrict = 2 >>> >>> -- >>> 2.26.2 >>
Okay, merged. > On 2 Apr 2021, at 20:30, Peter Müller <peter.mueller@ipfire.org> wrote: > > Hello Michael, > > it seems as the kernel folks backported this into 4.14.x by now: > >> [root@maverick ~]# uname -a >> Linux maverick 4.14.212-ipfire #1 SMP Wed Dec 16 12:01:25 GMT 2020 x86_64 Intel(R) Celeron(R) CPU N3150 @ 1.60GHz GenuineIntel GNU/Linux >> [root@maverick ~]# sysctl dev.tty.ldisc_autoload >> dev.tty.ldisc_autoload = 1 > > Therefore, I would like to see this patch being merged - that is, if it is still applicable. :-) > > Thanks, and best regards, > Peter Müller > > >> Hello Michael, >> >> grmpf, overlooked some patched distribution kernel again. :-/ >> >> Sorry for the noise - I will keep the patch queued and wait for kernel 5.9 ... >> >> Thanks, and best regards, >> Peter Müller >> >> >>> This does not exist before kernel 5.1. >>> >>> -Michael >>> >>>> On 5 Oct 2020, at 20:45, Peter Müller <peter.mueller@ipfire.org> wrote: >>>> >>>> Malicious/vulnerable TTY line disciplines have been subject of some >>>> kernel exploits such as CVE-2017-2636, and since - to put it in Greg >>>> Kroah-Hatrman's words - we do not "trust the userspace to do the right >>>> thing", this reduces local kernel attack surface. >>>> >>>> Further, there is no legitimate reason why an unprivileged user should >>>> load kernel modules during runtime, anyway. >>>> >>>> See also: >>>> - https://lkml.org/lkml/2019/4/15/890 >>>> - https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html >>>> >>>> Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> >>>> Cc: Michael Tremer <michael.tremer@ipfire.org> >>>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >>>> --- >>>> config/etc/sysctl.conf | 4 ++++ >>>> 1 file changed, 4 insertions(+) >>>> >>>> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf >>>> index d48c7734e..b5ede15ed 100644 >>>> --- a/config/etc/sysctl.conf >>>> +++ b/config/etc/sysctl.conf >>>> @@ -39,6 +39,10 @@ net.bridge.bridge-nf-call-ip6tables = 0 >>>> net.bridge.bridge-nf-call-iptables = 0 >>>> net.bridge.bridge-nf-call-arptables = 0 >>>> >>>> +# Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers >>>> +# from loading vulnerable line disciplines with the TIOCSETD ioctl. >>>> +dev.tty.ldisc_autoload = 0 >>>> + >>>> # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). >>>> kernel.kptr_restrict = 2 >>>> >>>> -- >>>> 2.26.2 >>>
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index d48c7734e..b5ede15ed 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -39,6 +39,10 @@ net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 +# Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers +# from loading vulnerable line disciplines with the TIOCSETD ioctl. +dev.tty.ldisc_autoload = 0 + # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 2