Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-24 Thread Djalal Harouni
On Tue, May 23, 2017 at 9:48 AM, Solar Designer wrote: >> >>> On Mon, May 22, 2017 at 2:08 PM, Solar Designer >> >>> wrote: >> >>> > On Mon, May 22, 2017 at 01:57:03PM +0200, Djalal Harouni wrote: >> >>> >> *) When modules_autoload_mode is set to (2),

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-24 Thread Djalal Harouni
On Tue, May 23, 2017 at 9:48 AM, Solar Designer wrote: >> >>> On Mon, May 22, 2017 at 2:08 PM, Solar Designer >> >>> wrote: >> >>> > On Mon, May 22, 2017 at 01:57:03PM +0200, Djalal Harouni wrote: >> >>> >> *) When modules_autoload_mode is set to (2), automatic module loading >> >>> >> is >>

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-23 Thread Andy Lutomirski
On Tue, May 23, 2017 at 11:36 AM, Kees Cook wrote: > On Tue, May 23, 2017 at 12:48 AM, Solar Designer wrote: >> For modules_autoload_mode=2, we already seem to have the equivalent of >> modprobe=/bin/true (or does it differ subtly, maybe in return

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-23 Thread Andy Lutomirski
On Tue, May 23, 2017 at 11:36 AM, Kees Cook wrote: > On Tue, May 23, 2017 at 12:48 AM, Solar Designer wrote: >> For modules_autoload_mode=2, we already seem to have the equivalent of >> modprobe=/bin/true (or does it differ subtly, maybe in return values?), >> which I already use at startup on a

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-23 Thread Kees Cook
On Tue, May 23, 2017 at 12:48 AM, Solar Designer wrote: > For modules_autoload_mode=2, we already seem to have the equivalent of > modprobe=/bin/true (or does it differ subtly, maybe in return values?), > which I already use at startup on a GPU box like this (preloading >

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-23 Thread Kees Cook
On Tue, May 23, 2017 at 12:48 AM, Solar Designer wrote: > For modules_autoload_mode=2, we already seem to have the equivalent of > modprobe=/bin/true (or does it differ subtly, maybe in return values?), > which I already use at startup on a GPU box like this (preloading > modules so that the

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-23 Thread Djalal Harouni
On Tue, May 23, 2017 at 1:38 AM, Andy Lutomirski wrote: > On Mon, May 22, 2017 at 4:07 PM, Kees Cook wrote: >> On Mon, May 22, 2017 at 12:55 PM, Djalal Harouni wrote: >>> On Mon, May 22, 2017 at 6:43 PM, Solar Designer

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-23 Thread Djalal Harouni
On Tue, May 23, 2017 at 1:38 AM, Andy Lutomirski wrote: > On Mon, May 22, 2017 at 4:07 PM, Kees Cook wrote: >> On Mon, May 22, 2017 at 12:55 PM, Djalal Harouni wrote: >>> On Mon, May 22, 2017 at 6:43 PM, Solar Designer wrote: On Mon, May 22, 2017 at 03:49:15PM +0200, Djalal Harouni wrote:

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-23 Thread Solar Designer
> >>> On Mon, May 22, 2017 at 2:08 PM, Solar Designer > >>> wrote: > >>> > On Mon, May 22, 2017 at 01:57:03PM +0200, Djalal Harouni wrote: > >>> >> *) When modules_autoload_mode is set to (2), automatic module loading > >>> >> is > >>> >> disabled for all. Once set, this

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-23 Thread Solar Designer
> >>> On Mon, May 22, 2017 at 2:08 PM, Solar Designer > >>> wrote: > >>> > On Mon, May 22, 2017 at 01:57:03PM +0200, Djalal Harouni wrote: > >>> >> *) When modules_autoload_mode is set to (2), automatic module loading > >>> >> is > >>> >> disabled for all. Once set, this value can not be

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-22 Thread Kees Cook
On Mon, May 22, 2017 at 4:38 PM, Andy Lutomirski wrote: > I think that having the un-resettable mode is unnecessary. We should > have option that disables loading modules entirely and cannot be > unset. (That means no explicit loads and not implicit loads.) Maybe > we already

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-22 Thread Kees Cook
On Mon, May 22, 2017 at 4:38 PM, Andy Lutomirski wrote: > I think that having the un-resettable mode is unnecessary. We should > have option that disables loading modules entirely and cannot be > unset. (That means no explicit loads and not implicit loads.) Maybe > we already have this.

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-22 Thread Andy Lutomirski
On Mon, May 22, 2017 at 4:07 PM, Kees Cook wrote: > On Mon, May 22, 2017 at 12:55 PM, Djalal Harouni wrote: >> On Mon, May 22, 2017 at 6:43 PM, Solar Designer wrote: >>> On Mon, May 22, 2017 at 03:49:15PM +0200, Djalal Harouni wrote:

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-22 Thread Andy Lutomirski
On Mon, May 22, 2017 at 4:07 PM, Kees Cook wrote: > On Mon, May 22, 2017 at 12:55 PM, Djalal Harouni wrote: >> On Mon, May 22, 2017 at 6:43 PM, Solar Designer wrote: >>> On Mon, May 22, 2017 at 03:49:15PM +0200, Djalal Harouni wrote: On Mon, May 22, 2017 at 2:08 PM, Solar Designer wrote:

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-22 Thread Kees Cook
On Mon, May 22, 2017 at 12:55 PM, Djalal Harouni wrote: > On Mon, May 22, 2017 at 6:43 PM, Solar Designer wrote: >> On Mon, May 22, 2017 at 03:49:15PM +0200, Djalal Harouni wrote: >>> On Mon, May 22, 2017 at 2:08 PM, Solar Designer

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-22 Thread Kees Cook
On Mon, May 22, 2017 at 12:55 PM, Djalal Harouni wrote: > On Mon, May 22, 2017 at 6:43 PM, Solar Designer wrote: >> On Mon, May 22, 2017 at 03:49:15PM +0200, Djalal Harouni wrote: >>> On Mon, May 22, 2017 at 2:08 PM, Solar Designer wrote: >>> > On Mon, May 22, 2017 at 01:57:03PM +0200, Djalal

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-22 Thread Djalal Harouni
On Mon, May 22, 2017 at 6:43 PM, Solar Designer wrote: > On Mon, May 22, 2017 at 03:49:15PM +0200, Djalal Harouni wrote: >> On Mon, May 22, 2017 at 2:08 PM, Solar Designer wrote: >> > On Mon, May 22, 2017 at 01:57:03PM +0200, Djalal Harouni wrote: >> >> *)

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-22 Thread Djalal Harouni
On Mon, May 22, 2017 at 6:43 PM, Solar Designer wrote: > On Mon, May 22, 2017 at 03:49:15PM +0200, Djalal Harouni wrote: >> On Mon, May 22, 2017 at 2:08 PM, Solar Designer wrote: >> > On Mon, May 22, 2017 at 01:57:03PM +0200, Djalal Harouni wrote: >> >> *) When modules_autoload_mode is set to

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-22 Thread Solar Designer
On Mon, May 22, 2017 at 03:49:15PM +0200, Djalal Harouni wrote: > On Mon, May 22, 2017 at 2:08 PM, Solar Designer wrote: > > On Mon, May 22, 2017 at 01:57:03PM +0200, Djalal Harouni wrote: > >> *) When modules_autoload_mode is set to (2), automatic module loading is > >>

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-22 Thread Solar Designer
On Mon, May 22, 2017 at 03:49:15PM +0200, Djalal Harouni wrote: > On Mon, May 22, 2017 at 2:08 PM, Solar Designer wrote: > > On Mon, May 22, 2017 at 01:57:03PM +0200, Djalal Harouni wrote: > >> *) When modules_autoload_mode is set to (2), automatic module loading is > >> disabled for all. Once

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-22 Thread Djalal Harouni
Hi Alexander, On Mon, May 22, 2017 at 2:08 PM, Solar Designer wrote: > Hi Djalal, > > Thank you for your work on this! > > On Mon, May 22, 2017 at 01:57:03PM +0200, Djalal Harouni wrote: >> *) When modules_autoload_mode is set to (2), automatic module loading is >> disabled

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-22 Thread Djalal Harouni
Hi Alexander, On Mon, May 22, 2017 at 2:08 PM, Solar Designer wrote: > Hi Djalal, > > Thank you for your work on this! > > On Mon, May 22, 2017 at 01:57:03PM +0200, Djalal Harouni wrote: >> *) When modules_autoload_mode is set to (2), automatic module loading is >> disabled for all. Once set,

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-22 Thread Solar Designer
Hi Djalal, Thank you for your work on this! On Mon, May 22, 2017 at 01:57:03PM +0200, Djalal Harouni wrote: > *) When modules_autoload_mode is set to (2), automatic module loading is > disabled for all. Once set, this value can not be changed. What purpose does this securelevel-like property

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-22 Thread Solar Designer
Hi Djalal, Thank you for your work on this! On Mon, May 22, 2017 at 01:57:03PM +0200, Djalal Harouni wrote: > *) When modules_autoload_mode is set to (2), automatic module loading is > disabled for all. Once set, this value can not be changed. What purpose does this securelevel-like property