Unlike device or filesystem modules, most protocol modules may be auto- loaded on behalf of local users without any special capabilities. This means that security vulnerabilities in such protocol modules may be exploitable by local users even on a system where there is no need for the protocol.
Protocol modules are requested via module aliases generated from the protocol-family, protocol and type numbers passed to socket(). Administrators can of course blacklist the modules or disable their aliases, but there is an ever-growing list of protocols. There has been some discussion upstream of providing a means to disable or restrict this auto-loading altogether, but this is currently unresolved. These are the changes in defined aliases between current stable and unstable kernels: -alias net-pf-10 ipv6 This is now built-in. +alias net-pf-16-proto-13 ip6_queue +alias net-pf-16-proto-3 ip_queue Netlink support for iptables/ip6tables. This is not new code but auto-loading was only enabled in Linux 2.6.30. Most use seems to be dependent on capable(CAP_NET_ADMIN). +alias net-pf-21 rds This has had several recent vulnerabilities. Perhaps we should remove this alias? +alias net-pf-35 phonet +alias net-pf-35-proto-2 pn_pep I was unable to create AF_PHONET sockets, so I assume they can only be created if a suitable device exists. +alias net-pf-36 af_802154 I have no idea of the security state of this. I was able to create AF_IEEE802154 sockets on system with no suitable devices. Ben. -- Ben Hutchings Once a job is fouled up, anything done to improve it makes it worse.
signature.asc
Description: This is a digitally signed message part