UBUNTU: SAUCE: [net] disable autoloading of rare protocols

This disables the autoloading of several rare network protocols
in an effort to reduce exposure to potential future security
issues with them, as recently demonstrated with RDS and Econet.

Thanks to Ben Hutchings and Debian for the patches:

http://git.debian.org/?p=kernel/linux-2.6.git;a=commitdiff;h=990932981b989699a710e1ec9eb3dd25f08ac362
http://git.debian.org/?p=kernel/linux-2.6.git;a=commitdiff;h=189f09eb39228b11fe8a6b56a27ad09639150d37
http://git.debian.org/?p=kernel/linux-2.6.git;a=commitdiff;h=6fd8c90166edf1595c2c828f7cbe4ba7febc4af8
http://git.debian.org/?p=kernel/linux-2.6.git;a=commitdiff;h=8d92d7b141b4767f9877ffd1a2c7b0060d50628f
http://git.debian.org/?p=kernel/linux-2.6.git;a=commitdiff;h=cf875d498103ff888db76892ae98ddc5ed0d3a4c

Signed-off-by: Kees Cook <kees.cook@canonical.com>
---
 net/decnet/af_decnet.c         |    2 +-
 net/econet/af_econet.c         |    2 +-
 net/ieee802154/af_ieee802154.c |    2 +-
 net/rds/af_rds.c               |    2 +-
 net/x25/af_x25.c               |    2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

On 01/11/2011 04:54 PM, Kees Cook wrote:
> This disables the autoloading of several rare network protocols
> in an effort to reduce exposure to potential future security
> issues with them, as recently demonstrated with RDS and Econet.
>
> Thanks to Ben Hutchings and Debian for the patches:
>
> http://git.debian.org/?p=kernel/linux-2.6.git;a=commitdiff;h=990932981b989699a710e1ec9eb3dd25f08ac362
> http://git.debian.org/?p=kernel/linux-2.6.git;a=commitdiff;h=189f09eb39228b11fe8a6b56a27ad09639150d37
> http://git.debian.org/?p=kernel/linux-2.6.git;a=commitdiff;h=6fd8c90166edf1595c2c828f7cbe4ba7febc4af8
> http://git.debian.org/?p=kernel/linux-2.6.git;a=commitdiff;h=8d92d7b141b4767f9877ffd1a2c7b0060d50628f
> http://git.debian.org/?p=kernel/linux-2.6.git;a=commitdiff;h=cf875d498103ff888db76892ae98ddc5ed0d3a4c
>
> Signed-off-by: Kees Cook<kees.cook@canonical.com>
> ---
>   net/decnet/af_decnet.c         |    2 +-
>   net/econet/af_econet.c         |    2 +-
>   net/ieee802154/af_ieee802154.c |    2 +-
>   net/rds/af_rds.c               |    2 +-
>   net/x25/af_x25.c               |    2 +-
>   5 files changed, 5 insertions(+), 5 deletions(-)
>

I'm not entirely opposed (having followed the original discussion on 
netdev). Could you describe for this list under what circumstances a 
protocol module is loaded and what DOSs and vulnerabilities this will 
prevent? I assume there are both user space and network receive side issues.

rtg

On Tue, Jan 11, 2011 at 05:22:21PM -0600, Tim Gardner wrote:
> On 01/11/2011 04:54 PM, Kees Cook wrote:
> >This disables the autoloading of several rare network protocols
> >in an effort to reduce exposure to potential future security
> >issues with them, as recently demonstrated with RDS and Econet.

It's been recommended to possibly add can, rose, ax25, netrom, and phonet
to this list too.

> I'm not entirely opposed (having followed the original discussion on
> netdev). Could you describe for this list under what circumstances a
> protocol module is loaded and what DOSs and vulnerabilities this
> will prevent? I assume there are both user space and network receive
> side issues.

AFAIU, it is strictly a local issue. A process running:

    socket(AF_$SOMETHING, ...)

will trigger the kernel to autoload "net-pf-NNN". For a complete list of these
aliases, see the output:

    egrep "net-pf-[0-9]+ " /lib/modules/$(uname -r)/modules.alias

-Kees

On 01/11/2011 05:39 PM, Kees Cook wrote:
> On Tue, Jan 11, 2011 at 05:22:21PM -0600, Tim Gardner wrote:
>> On 01/11/2011 04:54 PM, Kees Cook wrote:
>>> This disables the autoloading of several rare network protocols
>>> in an effort to reduce exposure to potential future security
>>> issues with them, as recently demonstrated with RDS and Econet.
>
> It's been recommended to possibly add can, rose, ax25, netrom, and phonet
> to this list too.
>
>> I'm not entirely opposed (having followed the original discussion on
>> netdev). Could you describe for this list under what circumstances a
>> protocol module is loaded and what DOSs and vulnerabilities this
>> will prevent? I assume there are both user space and network receive
>> side issues.
>
> AFAIU, it is strictly a local issue. A process running:
>
>      socket(AF_$SOMETHING, ...)
>
> will trigger the kernel to autoload "net-pf-NNN". For a complete list of these
> aliases, see the output:
>
>      egrep "net-pf-[0-9]+ " /lib/modules/$(uname -r)/modules.alias
>
> -Kees
>

Why don't we blacklist these modules instead of carrying more SAUCE patches?

On Wed, Jan 12, 2011 at 03:41:21PM -0600, Tim Gardner wrote:
> Why don't we blacklist these modules instead of carrying more SAUCE patches?

I think that shipping a blacklist file is more of a pain since it would end up as a
debian conffile in /etc, so local changes would cause install debconf questions, etc.

Another option would be to filter it during the modules.aliases file creation so the
list is all in one place.

-Kees

On 01/12/2011 05:06 PM, Kees Cook wrote:
> On Wed, Jan 12, 2011 at 03:41:21PM -0600, Tim Gardner wrote:
>> Why don't we blacklist these modules instead of carrying more SAUCE patches?
>
> I think that shipping a blacklist file is more of a pain since it would end up as a
> debian conffile in /etc, so local changes would cause install debconf questions, etc.
>

I think the folks that would enable these modules are also capable of 
dealing with answering a debconf question. Furthermore, /etc/modprobe.d 
is a well known place for module loading control. Isn't /etc/modprobe.d 
where Jockey does its thing when switching between nvidia and nouveau ?

> Another option would be to filter it during the modules.aliases file creation so the
> list is all in one place.
>

I'm not sure I follow you here. Are you suggesting we add code in the 
post install hook for the kernel that elides the protocol module 
aliases? That doesn't seem like a very good idea to me wrt updates.

rtg

On Wed, Jan 12, 2011 at 05:34:52PM -0600, Tim Gardner wrote:
> On 01/12/2011 05:06 PM, Kees Cook wrote:
> >On Wed, Jan 12, 2011 at 03:41:21PM -0600, Tim Gardner wrote:
> >>Why don't we blacklist these modules instead of carrying more SAUCE patches?
> >
> >I think that shipping a blacklist file is more of a pain since it would end up as a
> >debian conffile in /etc, so local changes would cause install debconf questions, etc.
> >
> 
> I think the folks that would enable these modules are also capable
> of dealing with answering a debconf question. Furthermore,
> /etc/modprobe.d is a well known place for module loading control.
> Isn't /etc/modprobe.d where Jockey does its thing when switching
> between nvidia and nouveau ?

It's certainly an option. I just try to avoid adding conffiles at all
cost since they're so annoying to deal with in packaging if you want to
remove them, change them, etc.

> >Another option would be to filter it during the modules.aliases file creation so the
> >list is all in one place.
> >
> 
> I'm not sure I follow you here. Are you suggesting we add code in
> the post install hook for the kernel that elides the protocol module
> aliases? That doesn't seem like a very good idea to me wrt updates.

No, I mean patching the kernel's build process to add effectively a
grep -v when generating the modules.aliases file. Though the more I
think about this, the more that seems to really be a patch to depmod,
so I probably don't recommend it now.

Anyway, why not carry the kernel patch so we're at least in sync with
Debian?

-Kees

On Tue, 2011-01-11 at 14:54 -0800, Kees Cook wrote:
> This disables the autoloading of several rare network protocols
> in an effort to reduce exposure to potential future security
> issues with them, as recently demonstrated with RDS and Econet.
> 
> Thanks to Ben Hutchings and Debian for the patches:
> 
> http://git.debian.org/?p=kernel/linux-2.6.git;a=commitdiff;h=990932981b989699a710e1ec9eb3dd25f08ac362
> http://git.debian.org/?p=kernel/linux-2.6.git;a=commitdiff;h=189f09eb39228b11fe8a6b56a27ad09639150d37
> http://git.debian.org/?p=kernel/linux-2.6.git;a=commitdiff;h=6fd8c90166edf1595c2c828f7cbe4ba7febc4af8
> http://git.debian.org/?p=kernel/linux-2.6.git;a=commitdiff;h=8d92d7b141b4767f9877ffd1a2c7b0060d50628f
> http://git.debian.org/?p=kernel/linux-2.6.git;a=commitdiff;h=cf875d498103ff888db76892ae98ddc5ed0d3a4c
[...]

Those are not stable references.  That repository is an experimental
conversion of our patch series in svn, and is subject to rebasing.

You could refer to the patches using URLs under
<http://svn.debian.org/wsvn/kernel/releases/linux-2.6/2.6.32-28/debian/patches/debian/>.

Ben.

On 01/12/2011 05:57 PM, Kees Cook wrote:
> On Wed, Jan 12, 2011 at 05:34:52PM -0600, Tim Gardner wrote:
>> On 01/12/2011 05:06 PM, Kees Cook wrote:
>>> On Wed, Jan 12, 2011 at 03:41:21PM -0600, Tim Gardner wrote:
>>>> Why don't we blacklist these modules instead of carrying more SAUCE patches?
>>>
>>> I think that shipping a blacklist file is more of a pain since it would end up as a
>>> debian conffile in /etc, so local changes would cause install debconf questions, etc.
>>>
>>
>> I think the folks that would enable these modules are also capable
>> of dealing with answering a debconf question. Furthermore,
>> /etc/modprobe.d is a well known place for module loading control.
>> Isn't /etc/modprobe.d where Jockey does its thing when switching
>> between nvidia and nouveau ?
>
> It's certainly an option. I just try to avoid adding conffiles at all
> cost since they're so annoying to deal with in packaging if you want to
> remove them, change them, etc.
>
>>> Another option would be to filter it during the modules.aliases file creation so the
>>> list is all in one place.
>>>
>>
>> I'm not sure I follow you here. Are you suggesting we add code in
>> the post install hook for the kernel that elides the protocol module
>> aliases? That doesn't seem like a very good idea to me wrt updates.
>
> No, I mean patching the kernel's build process to add effectively a
> grep -v when generating the modules.aliases file. Though the more I
> think about this, the more that seems to really be a patch to depmod,
> so I probably don't recommend it now.
>
> Anyway, why not carry the kernel patch so we're at least in sync with
> Debian?
>

Because we aren't in sync with Debian. We're in sync with Linus' upstream.

Andy has some thoughts about how we might mitigate debconf questions.

rtg

On Wed, Jan 12, 2011 at 03:06:04PM -0800, Kees Cook wrote:
> On Wed, Jan 12, 2011 at 03:41:21PM -0600, Tim Gardner wrote:
> > Why don't we blacklist these modules instead of carrying more SAUCE patches?
> 
> I think that shipping a blacklist file is more of a pain since it would end up as a
> debian conffile in /etc, so local changes would cause install debconf questions, etc.
> 
> Another option would be to filter it during the modules.aliases file creation so the
> list is all in one place.

If we used one file they would be required to comment things out to
enable one protocol and indeed generate a debconf question.

How about if we made one file per protocol.  disable-x25.conf stylee,
then they could simply remove the file to fix it.  Would that avoid the
conflict.  Cirtainly we could use a dpkg redirect if the file is to go
en-toto?

Would that work better?

-apw

On 01/13/2011 10:09 AM, Andy Whitcroft wrote:
> On Wed, Jan 12, 2011 at 03:06:04PM -0800, Kees Cook wrote:
>> On Wed, Jan 12, 2011 at 03:41:21PM -0600, Tim Gardner wrote:
>>> Why don't we blacklist these modules instead of carrying more SAUCE patches?
>>
>> I think that shipping a blacklist file is more of a pain since it would end up as a
>> debian conffile in /etc, so local changes would cause install debconf questions, etc.
>>
>> Another option would be to filter it during the modules.aliases file creation so the
>> list is all in one place.
>
> If we used one file they would be required to comment things out to
> enable one protocol and indeed generate a debconf question.
>
> How about if we made one file per protocol.  disable-x25.conf stylee,
> then they could simply remove the file to fix it.  Would that avoid the
> conflict.  Cirtainly we could use a dpkg redirect if the file is to go
> en-toto?
>
> Would that work better?
>
> -apw

After a hallway conversation with Kees, we've agreed that he'll write 
the module-init-tools patch to blacklist the aforementioned protocols. 
This has the advantage of being applicable to all Natty user space 
installs, regardless of the kernel in use.

rtg