From Fedora Project Wiki
No edit summary
(Update to reflect the code submitted upstream.)
Line 12: Line 12:
* Targeted release: [[Releases/13 | Fedora 13 ]]  
* Targeted release: [[Releases/13 | Fedora 13 ]]  
* Last updated: 2010-01-26
* Last updated: 2010-01-26
* Percentage of completion: 25%
* Percentage of completion: 90% (code is ready, waiting for adoption by maintainer)


== Detailed Description ==
== Detailed Description ==
Line 19: Line 19:
modprobe can also run specified commands instead of loading a module (using the "install" configuration directive); this is restricted using the same whitelist as well.
modprobe can also run specified commands instead of loading a module (using the "install" configuration directive); this is restricted using the same whitelist as well.


To help system administrators compile the whitelist, additional functionality is added to modprobe: it will be possible to log all information (as if using "modprobe -v") to a specified file, including modprobe actions run in the dracut initrd.  A script will be provided that compiles a proposed whitelist from the logged data.
To help system administrators compile the whitelist, additional functionality is added to modprobe: it will be possible to log all information (similar to using "modprobe -v") to a specified file, including modprobe actions run in the dracut initrd.  A script will be provided that compiles a proposed whitelist from the logged data.


== Benefit to Fedora ==
== Benefit to Fedora ==
Line 27: Line 27:


== Scope ==
== Scope ==
New features in modprobe and a very small addition to dracut (to copy the log data from the initrd to the root filesystem).
New features in modprobe.


== How To Test ==
== How To Test ==
No special hardware needed.
No special hardware needed.


* Configure modprobe to log its actions, reboot the system and use it as usual.
See the "NOTES" section of build-modprobe-whitelist(8) for instructions on setting up the whitelist. Then verify that "modprobe module-not-on-whitelist" fails, both on the running system and in the initrd (using rdbreak, as described in the buid-modprobe-whitelist(8) man page).
* Disable the logging, generate a whitelist using a provided script.
* Reboot again, verify system works correctly.  Verify other modules can't be loaded.
* Regenerate the initrd (to embed the whitelist into the initrd), reboot, verify the system still works correctly.
* Using dracut's debugging facilities, verify the whitelist is enforced even in the initrd.


== User Experience ==
== User Experience ==
No impact by default.  System administrators who want to build a whitelist can do so, following documentation that will be provided.
No impact by default.  System administrators who want to build a whitelist can do so, following build-modprobe-whitelist(8).


== Dependencies ==
== Dependencies ==
Line 48: Line 44:


== Documentation ==
== Documentation ==
To be written and included in module-init tools:
Included in the patch set:
* Updates to modprobe.conf(5)
* Updates to modprobe.conf(5).
* New man page for module_whitelist_template(8)
* New man page for build-modprobe-whitelist(8)
* New README.whitelist in /usr/share/doc/module-init-tools-*


== Release Notes ==
== Release Notes ==
(in "Security" section)
(in "Security" section)


Fedora now allows system administrators to restrict the modules that can be automatically loaded into the kernel to a specific subset of explicitly chosen modules.  This prevents attacks on vulnerable kernel code that is not necessary for ordinary system operation (e.g. by plugging in a flash drive with an unusual filesystem, by plugging in unusual hardware, initializing network connections using an unusual protocol).  See /usr/share/doc/module-init-tools-*/README.whitelist for details.
Fedora now allows system administrators to restrict the modules that can be automatically loaded into the kernel to a specific subset of explicitly chosen modules.  This prevents attacks on vulnerable kernel code that is not necessary for ordinary system operation (e.g. by plugging in a flash drive with an unusual filesystem, by plugging in unusual hardware, initializing network connections using an unusual protocol).  See build-modprobe-whitelist(8) for details.


== Comments and Discussion ==
== Comments and Discussion ==

Revision as of 19:50, 29 January 2010

modprobe Whitelist

Summary

Add a whitelist of allowed modules and commands to modprobe, to allow the system administrator to limit the amount of (potentially vulnerable) code that can run in the kernel.

Owner

  • Email: <mitr@redhat.com>

Current status

  • Targeted release: Fedora 13
  • Last updated: 2010-01-26
  • Percentage of completion: 90% (code is ready, waiting for adoption by maintainer)

Detailed Description

The kernel, and various user-space applications, can automatically load kernel modules necessary to handle certain actions (e.g. flash dish with a specific filesystem is attached, other hardware is plugged in, application uses a network protocol). This may allow even unprivileged users to cause loading kernel modules, and the kernel code may be vulnerable. This feature allows system administrators in high-security situations to limit the modules loaded by modprobe to a specific list of modules configured by the administrator, making it impossible for unprivileged users to exploit vulnerabilities in modules that are not ordinarily used by e.g. attaching hardware.

modprobe can also run specified commands instead of loading a module (using the "install" configuration directive); this is restricted using the same whitelist as well.

To help system administrators compile the whitelist, additional functionality is added to modprobe: it will be possible to log all information (similar to using "modprobe -v") to a specified file, including modprobe actions run in the dracut initrd. A script will be provided that compiles a proposed whitelist from the logged data.

Benefit to Fedora

If desired and configured by the system administrator, a significant reduction of the kernel-space attack surface, avoiding risk of vulnerabilities in rarely-used kernel-mode code.

A sample desktop Fedora 12 system currently has 79 modules loaded, out of 1964 available modules (4%). When counting code size, and the main kernel file (/boot/vmlinuz*) is included, the sample desktop system runs 8.36 MB of kernel-space code, out of 34.66 MB available (24%).

Scope

New features in modprobe.

How To Test

No special hardware needed.

See the "NOTES" section of build-modprobe-whitelist(8) for instructions on setting up the whitelist. Then verify that "modprobe module-not-on-whitelist" fails, both on the running system and in the initrd (using rdbreak, as described in the buid-modprobe-whitelist(8) man page).

User Experience

No impact by default. System administrators who want to build a whitelist can do so, following build-modprobe-whitelist(8).

Dependencies

Upstream acceptance in module-init-tools.

Contingency Plan

None necessary.

Documentation

Included in the patch set:

  • Updates to modprobe.conf(5).
  • New man page for build-modprobe-whitelist(8)

Release Notes

(in "Security" section)

Fedora now allows system administrators to restrict the modules that can be automatically loaded into the kernel to a specific subset of explicitly chosen modules. This prevents attacks on vulnerable kernel code that is not necessary for ordinary system operation (e.g. by plugging in a flash drive with an unusual filesystem, by plugging in unusual hardware, initializing network connections using an unusual protocol). See build-modprobe-whitelist(8) for details.

Comments and Discussion