Re: [kernel-hardening] [RFC 0/4] make call_usermodehelper a bit more "safe"

2016-12-14 Thread Greg Kroah-Hartman
On Wed, Dec 14, 2016 at 10:28:18PM +0100, Jason A. Donenfeld wrote: > Hi Greg, > > On Wed, Dec 14, 2016 at 7:50 PM, Greg KH wrote: > > So, anyone have any better ideas? Is this approach worth it? Or should > > we just go down the "whitelist" path? > > I think your

Re: [kernel-hardening] [RFC 0/4] make call_usermodehelper a bit more "safe"

2016-12-14 Thread Greg Kroah-Hartman
On Wed, Dec 14, 2016 at 10:28:18PM +0100, Jason A. Donenfeld wrote: > Hi Greg, > > On Wed, Dec 14, 2016 at 7:50 PM, Greg KH wrote: > > So, anyone have any better ideas? Is this approach worth it? Or should > > we just go down the "whitelist" path? > > I think your approach is generally better

Re: [kernel-hardening] [RFC 0/4] make call_usermodehelper a bit more "safe"

2016-12-14 Thread Jason A. Donenfeld
Hi Greg, On Wed, Dec 14, 2016 at 7:50 PM, Greg KH wrote: > So, anyone have any better ideas? Is this approach worth it? Or should > we just go down the "whitelist" path? I think your approach is generally better than the whitelist path. But maybe there's yet a

Re: [kernel-hardening] [RFC 0/4] make call_usermodehelper a bit more "safe"

2016-12-14 Thread Jason A. Donenfeld
Hi Greg, On Wed, Dec 14, 2016 at 7:50 PM, Greg KH wrote: > So, anyone have any better ideas? Is this approach worth it? Or should > we just go down the "whitelist" path? I think your approach is generally better than the whitelist path. But maybe there's yet a third approach that involves

Re: [kernel-hardening] [RFC 0/4] make call_usermodehelper a bit more "safe"

2016-12-14 Thread Kees Cook
On Wed, Dec 14, 2016 at 11:25 AM, Mark Rutland wrote: > > Hi, > > On Wed, Dec 14, 2016 at 10:50:00AM -0800, Greg KH wrote: >> The issue is that if you end up getting write access to kernel memory, >> if you change the string '/sbin/hotplug' to point to >>

Re: [kernel-hardening] [RFC 0/4] make call_usermodehelper a bit more "safe"

2016-12-14 Thread Kees Cook
On Wed, Dec 14, 2016 at 11:25 AM, Mark Rutland wrote: > > Hi, > > On Wed, Dec 14, 2016 at 10:50:00AM -0800, Greg KH wrote: >> The issue is that if you end up getting write access to kernel memory, >> if you change the string '/sbin/hotplug' to point to >> '/home/hacked/my_binary', then the next

Re: [kernel-hardening] [RFC 0/4] make call_usermodehelper a bit more "safe"

2016-12-14 Thread Mark Rutland
Hi, On Wed, Dec 14, 2016 at 10:50:00AM -0800, Greg KH wrote: > The issue is that if you end up getting write access to kernel memory, > if you change the string '/sbin/hotplug' to point to > '/home/hacked/my_binary', then the next uevent that the system makes > will call this binary instead of

Re: [kernel-hardening] [RFC 0/4] make call_usermodehelper a bit more "safe"

2016-12-14 Thread Mark Rutland
Hi, On Wed, Dec 14, 2016 at 10:50:00AM -0800, Greg KH wrote: > The issue is that if you end up getting write access to kernel memory, > if you change the string '/sbin/hotplug' to point to > '/home/hacked/my_binary', then the next uevent that the system makes > will call this binary instead of