From patchwork Mon Oct 5 19:45:31 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 3508 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4C4rgC0pwKz3x0j for ; Mon, 5 Oct 2020 19:45:43 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4C4rg94lMNzBC; Mon, 5 Oct 2020 19:45:41 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4C4rg92zPhz2y5K; Mon, 5 Oct 2020 19:45:41 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4C4rg82bPBz2xb4 for ; Mon, 5 Oct 2020 19:45:40 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 4C4rg63dfWzBC for ; Mon, 5 Oct 2020 19:45:37 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1601927139; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=u9iHF8KvOmgNv4IgPMRmvsLdlv4uj9+3ikMpg2ANGPw=; b=LDVX0n0QjCXp8+ckA1bJWdVifPaxRjN5uonh8zMv/kP9buxMcS6K6KlTXxgbz1ZW5g7pPc 3aIc6XVk9zotecCw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1601927139; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=u9iHF8KvOmgNv4IgPMRmvsLdlv4uj9+3ikMpg2ANGPw=; b=RTnvUY66k9q0e2xjRtWu2gAaE0SfW8on+EEPlrtA3sKQ2ZMd8++QWJaGAfot7i70KR1PHp AywmpoKG0B6iFplyStPXO3AXohXOksqtSODumD2/UiLT8oh7SowlA7FhRpBYlfhzegndpN ywiPK/womOrVuLo12wPrYrh2I2QZmH8Fi3ncClfRCU1WQDIMXG4SNcp7yWD9BioR3h/S+B UOeRciwSUIxI+cYQafMsx+BI8DRqv8r6w/DZIGLJpI4gmk7f/GZj1jMOObZos+7AvFLVrC qX+WiZl5iBzUoHnup+jE1qXeJfDWtXNhr5GcqCx3uksyBABGWSGO2jdPL0bnKA== Subject: [PATCH] sysctl.conf: prevent autoloading of TTY line disciplines To: development@lists.ipfire.org References: <7e85496c-a7af-eb2d-b9ac-c6a5efcc69a5@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= Message-ID: <53403b50-5876-58e1-cbc9-7e74badf365d@ipfire.org> Date: Mon, 5 Oct 2020 19:45:31 +0000 MIME-Version: 1.0 In-Reply-To: <7e85496c-a7af-eb2d-b9ac-c6a5efcc69a5@ipfire.org> Content-Language: en-US Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Malicious/vulnerable TTY line disciplines have been subject of some kernel exploits such as CVE-2017-2636, and since - to put it in Greg Kroah-Hatrman's words - we do not "trust the userspace to do the right thing", this reduces local kernel attack surface. Further, there is no legitimate reason why an unprivileged user should load kernel modules during runtime, anyway. See also: - https://lkml.org/lkml/2019/4/15/890 - https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html Cc: Arne Fitzenreiter Cc: Michael Tremer Signed-off-by: Peter Müller --- config/etc/sysctl.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index d48c7734e..b5ede15ed 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -39,6 +39,10 @@ net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 +# Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers +# from loading vulnerable line disciplines with the TIOCSETD ioctl. +dev.tty.ldisc_autoload = 0 + # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 2