On Tue, Nov 28, 2017 at 12:12 PM, Linus Torvalds <torva...@linux-foundation.org> wrote: > On Tue, Nov 28, 2017 at 12:08 PM, Kees Cook <keesc...@chromium.org> wrote: >> >> Linus, are you okay with this series if the global sysctl gets dropped? > > So really, it's not the "global sysctl" as much as the "global > request_module()" that annoys me. > > I'll happily take the request_module_cap() part and the thing that > makes networking use that. > > But the flag that we have to default to off because it breaks every > single box otherwise? No. It doesn't matter if it's one single global > or just a "global behavior for request_module() for this process" at > that point, it's still a pointless security flag that is opt-in.
To be clear: such a flag wouldn't doesn't break every system, but I understand your concern. So what's the right path forward for allowing a way to block autoloading? Separate existing request_module() calls into "must be privileged" and "can be unpriv" first, then rework the series to deal with the "unpriv okay" subset? -Kees -- Kees Cook Pixel Security
