From 14c65ab71ccbe3b0810ac6986d6ad02486f9f9a4 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Peter=20M=C3=BCller?= Date: Mon, 5 Oct 2020 19:45:31 +0000 Subject: [PATCH] sysctl.conf: prevent autoloading of TTY line disciplines MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Malicious/vulnerable TTY line disciplines have been subject of some kernel exploits such as CVE-2017-2636, and since - to put it in Greg Kroah-Hatrman's words - we do not "trust the userspace to do the right thing", this reduces local kernel attack surface. Further, there is no legitimate reason why an unprivileged user should load kernel modules during runtime, anyway. See also: - https://lkml.org/lkml/2019/4/15/890 - https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html Cc: Arne Fitzenreiter Cc: Michael Tremer Signed-off-by: Peter Müller Signed-off-by: Michael Tremer --- config/etc/sysctl.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index be7c07c857..a100da8e94 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -39,6 +39,10 @@ net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 +# Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers +# from loading vulnerable line disciplines with the TIOCSETD ioctl. +dev.tty.ldisc_autoload = 0 + # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 2 -- 2.39.2