anonymous-lestat
/
Void-Hardened-Kernel


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161
							diff -rcNP void-hardened-kernel 2/Documentation/admin-guide/kernel-parameters.txt void-hardened-kernel/Documentation/admin-guide/kernel-parameters.txt
*** void-hardened-kernel 2/Documentation/admin-guide/kernel-parameters.txt	2021-04-08 00:01:58.000000000 +0300
--- void-hardened-kernel/Documentation/admin-guide/kernel-parameters.txt	2021-04-11 22:39:31.000000000 +0300
***************
*** 2689,2694 ****
--- 2689,2698 ----
  			log everything. Information is printed at KERN_DEBUG
  			so loglevel=8 may also need to be specified.
  
+ 	modharden=	[SECURITY]
+ 			on - Restrict module auto-loading to CAP_SYS_MODULE
+ 			off - Don't restrict module auto-loading
+ 
  	module.sig_enforce
  			[KNL] When CONFIG_MODULE_SIG is set, this means that
  			modules without (valid) signatures will fail to load.
diff -rcNP void-hardened-kernel 2/Documentation/admin-guide/sysctl/kernel.rst void-hardened-kernel/Documentation/admin-guide/sysctl/kernel.rst
*** void-hardened-kernel 2/Documentation/admin-guide/sysctl/kernel.rst	2021-04-08 00:01:58.000000000 +0300
--- void-hardened-kernel/Documentation/admin-guide/sysctl/kernel.rst	2021-04-11 22:39:31.000000000 +0300
***************
*** 469,474 ****
--- 469,488 ----
  0, the cache is disabled. Enabled if nonzero.
  
  
+ modharden:
+ ==========
+ 
+ This toggle indicates whether unprivileged users are allowed to
+ auto-load kernel modules.
+ 
+ When modharden is set to (0) there are no restrictions. When
+ modharden is set to (1), only users with ``CAP_SYS_MODULE`` are
+ permitted to load kernel modules
+ 
+ The kernel config option ``CONFIG_SECURITY_MODHARDEN`` sets the
+ default value of modharden.
+ 
+ 
  modules_disabled:
  =================
  
diff -rcNP void-hardened-kernel 2/include/linux/kmod.h void-hardened-kernel/include/linux/kmod.h
*** void-hardened-kernel 2/include/linux/kmod.h	2021-04-08 00:01:58.000000000 +0300
--- void-hardened-kernel/include/linux/kmod.h	2021-04-11 22:39:31.000000000 +0300
***************
*** 22,27 ****
--- 22,28 ----
   * usually useless though. */
  extern __printf(2, 3)
  int __request_module(bool wait, const char *name, ...);
+ extern int modharden;
  #define request_module(mod...) __request_module(true, mod)
  #define request_module_nowait(mod...) __request_module(false, mod)
  #define try_then_request_module(x, mod...) \
diff -rcNP void-hardened-kernel 2/kernel/kmod.c void-hardened-kernel/kernel/kmod.c
*** void-hardened-kernel 2/kernel/kmod.c	2021-04-08 00:01:58.000000000 +0300
--- void-hardened-kernel/kernel/kmod.c	2021-04-11 22:39:31.000000000 +0300
***************
*** 106,111 ****
--- 106,128 ----
  	return -ENOMEM;
  }
  
+ int modharden __read_mostly = IS_ENABLED(CONFIG_SECURITY_MODHARDEN);
+ 
+ static int __init enable_modharden(char *level)
+ {
+ 	if (!level)
+ 		return -EINVAL;
+ 
+ 	if (strcmp(level, "on") == 0)
+ 		modharden = 1;
+ 	else if (strcmp(level, "off") == 0)
+ 		modharden = 0;
+ 	else
+ 		return -EINVAL;
+ 
+ 	return 0;
+ }
+ early_param("modharden", enable_modharden);
  /**
   * __request_module - try to load a kernel module
   * @wait: wait (or not) for the operation to complete
***************
*** 149,154 ****
--- 166,176 ----
  	if (ret)
  		return ret;
  
+ 	if (modharden && !capable(CAP_SYS_MODULE)) {
+ 		printk(KERN_ALERT "denied attempt to auto-load module %s\n", module_name);
+ 		return -EPERM;
+ 	}
+ 
  	if (atomic_dec_if_positive(&kmod_concurrent_max) < 0) {
  		pr_warn_ratelimited("request_module: kmod_concurrent_max (%u) close to 0 (max_modprobes: %u), for module %s, throttling...",
  				    atomic_read(&kmod_concurrent_max),
diff -rcNP void-hardened-kernel 2/kernel/sysctl.c void-hardened-kernel/kernel/sysctl.c
*** void-hardened-kernel 2/kernel/sysctl.c	2021-04-08 00:01:58.000000000 +0300
--- void-hardened-kernel/kernel/sysctl.c	2021-04-11 22:39:31.000000000 +0300
***************
*** 730,735 ****
--- 730,744 ----
  		.extra1		= SYSCTL_ONE,
  		.extra2		= SYSCTL_ONE,
  	},
+ 	{
+ 	.procname	= "modharden",
+ 	.data		= &modharden,
+ 	.maxlen		= sizeof(int),
+ 	.mode		= 0644,
+ 	.proc_handler	= proc_dointvec_minmax,
+ 	.extra1		= SYSCTL_ZERO,
+ 	.extra2		= SYSCTL_ONE,
+ 	},
  #endif
  #ifdef CONFIG_UEVENT_HELPER
  	{
diff -rcNP void-hardened-kernel 2/security/Kconfig void-hardened-kernel/security/Kconfig
*** void-hardened-kernel 2/security/Kconfig	2021-04-08 00:01:58.000000000 +0300
--- void-hardened-kernel/security/Kconfig	2021-04-11 22:43:45.000000000 +0300
***************
*** 42,47 ****
--- 42,69 ----
  
  	  If you are unsure how to answer this question, answer N.
  
+ config SECURITY_MODHARDEN
+ 	bool "Harden module auto-loading"
+ 	default n
+ 	depends on MODULES
+   	help
+ 	  If you say Y here, module auto-loading in response to use of some
+ 	  feature implemented by an unloaded module will be restricted to
+ 	  CAP_SYS_MODULE. Enabling this option helps defend against attacks
+ 	  by unprivileged users who abuse the auto-loading behavior to
+ 	  cause a vulnerable module to load that is then exploited.
+ 
+ 	  If this option prevents a legitimate use of auto-loading for a
+ 	  non-root user, the administrator can execute modprobe manually
+ 	  with the exact name of the module mentioned in the alert log.
+ 	  Alternatively, the administrator can add the module to the list
+ 	  of modules loaded at boot by modifying init scripts.
+ 
+ 	  This setting can be overridden at runtime via the
+ 	  kernel.modharden sysctl.
+ 
+ 	  If unsure say N.
+ 
  config SECURITY
  	bool "Enable different security models"
  	depends on SYSFS
***************
*** 353,356 ****
  source "security/Kconfig.hardening"
  
  endmenu
- 
--- 375,377 ----