Re: [gentoo-user] Re: Kernel modules and security
On Friday, 22 March 2019 15:22:48 GMT Grant Edwards wrote: > On 2019-03-22, Peter Humphrey wrote: > > Years ago, in the days of Yggdrasil I think, > > Wow, that triggers a flashback! Glad to be of service :) Thanks all for the advice. -- Regards, Peter.
[gentoo-user] Re: Kernel modules and security
On 2019-03-22, Peter Humphrey wrote: > Years ago, in the days of Yggdrasil I think, Wow, that triggers a flashback! My first Linux install was Yggdrasil, and it took _hours_ to boot. The smartasses at Yggdrasil insisted on trying to play an audio clip that said something like "Welcome to Yggdrasil" on startup. My machine didn't have an audio card, so the fallback was to try to play it by bit-banging the normal PC speaker that was connected to a PIO pin. It would sit there clicking the damn speaker trying to play the audio clip for most of the afternoon before it would continue the startup. I installed a different distro as soon as I could get hold of one... > the received wisdom was that enabling kernel module loading was a > bad idea because an attacker might be able to load malicious > software directly into the kernel. No modules --> one more attack > route closed. If an atacker can write to your /lib/modules directory, he's got root and all is lost: he can just as easily write to your /boot directory or anything else, so I don't see why there's any additional risk. Unless you're talking about loading kernel modules from a flash drive you found on the sidewalk... that's definitly a Bad Idea(tm). > What is the current thinking on this topic? I'm not trolling; I'd > like to know which way to go with a new box. On Gentoo machines, I usually configure the driver with built-in drivers for what I need and run mostly module-free except for... $ lsmod Module Size Used by nvidia_drm 40960 1 nvidia_modeset 1007616 2 nvidia_drm nvidia 13877248 117 nvidia_modeset -- Grant Edwards grant.b.edwardsYow! Did I do an INCORRECT at THING?? gmail.com
Re: [gentoo-user] Kernel modules and security
On 3/22/19 10:46 AM, Peter Humphrey wrote: > Hello list, > > Years ago, in the days of Yggdrasil I think, the received wisdom was that > enabling kernel module loading was a bad idea because an attacker might be > able to load malicious software directly into the kernel. No modules --> one > more attack route closed. > > What is the current thinking on this topic? I'm not trolling; I'd like to > know > which way to go with a new box. > The only way a non-root user can load a module into the kernel is if the kernel itself has a critical security flaw in the module-loading code. I would hope that said code is bullet-proof by now, but the risk is non-zero I guess. On the other hand, kernel drivers go ape-shit on me all the time, and having the ability to force-unload and reload them (without a reboot) is a life saver. Being able to build and load one module at a time also speeds up the kernel build -> oops I forgot something -> build loop.
Re: [gentoo-user] Kernel modules and security
On Fri, 22 Mar 2019 14:46:20 + Peter Humphrey wrote: > Hello list, > > Years ago, in the days of Yggdrasil I think, the received wisdom was that > enabling kernel module loading was a bad idea because an attacker might be > able to load malicious software directly into the kernel. No modules --> one > more attack route closed. > > What is the current thinking on this topic? I'm not trolling; I'd like to > know > which way to go with a new box. These days one can configure kernel to load only signed modules (with public key compiled into kernel) and refuse to load all unsigned modules [CONFIG_MODULE_SIG_FORCE]. During normal kernel build process all legitimate modules will be signed [CONFIG_MODULE_SIG_ALL]. All out-of-tree modules may be signed manually as well [scripts/sign-file]. Afterwards signing key [certs/signing_key.pem] may be removed from the system (e.g. encrypted or deleted). The benefit of this approach compared to kernel without modules is: 1) out of the tree kernel modules can be used (e.g. I use openafs) 2) kernel can be made smaller and faster by removing rarely needed functionality into modules (e.g. support for various USB devices, network protocols or filters and other subsystems which are not used on daily basis, but may be needed occasionally). Best regards, Andrew Savchenko pgpf7bCg7yH0S.pgp Description: PGP signature
Re: [gentoo-user] Kernel modules and security
On Fri, Mar 22, 2019 at 10:46 AM Peter Humphrey wrote: > > Years ago, in the days of Yggdrasil I think, the received wisdom was that > enabling kernel module loading was a bad idea because an attacker might be > able to load malicious software directly into the kernel. No modules --> one > more attack route closed. > > What is the current thinking on this topic? I'm not trolling; I'd like to know > which way to go with a new box. > IMO unless you're already using SELinux/etc this seems like a minor concern to focus on. You can't load kernel modules unless you're root, and if you have root then everything is wide open anyway. Now, if you're using a more hardened configuration where somebody who has root access is contained, but they might still be able to load modules, then this might be a meaningful protection. However, I suspect that most approaches to hardening that limit the capabilities of root are going to also limit the ability to load modules. In linux you need the CAP_SYS_MODULE capability to load a kernel module. I have to imagine that this is one of the first things you'd drop in any kind of hardened design since the need to load modules is very niche but very powerful. Now, if you want to make the argument that every system call is one more attack vector, then, sure, I guess this applies, but imo the odds that there is some exploit in the kernel where a process lacking CAP_SYS_MODULE could call init_module anyway seems pretty low. If you're going to be worried about this sort of vector then you should be selectively removing just about any system call that your application doesn't need, or just looking at microkernels or whatever. -- Rich
[gentoo-user] Kernel modules and security
Hello list, Years ago, in the days of Yggdrasil I think, the received wisdom was that enabling kernel module loading was a bad idea because an attacker might be able to load malicious software directly into the kernel. No modules --> one more attack route closed. What is the current thinking on this topic? I'm not trolling; I'd like to know which way to go with a new box. -- Regards, Peter.