dccp: Disable auto-loading as mitigation against local exploits
This commit is contained in:
parent
10f2dad569
commit
8cf3230524
|
@ -246,6 +246,7 @@ linux (4.9.10-1) UNRELEASED; urgency=medium
|
||||||
* pegasus: Use heap buffers for all register access (Closes: #852556)
|
* pegasus: Use heap buffers for all register access (Closes: #852556)
|
||||||
* test-patches: Use the pkg.linux.notools build profile
|
* test-patches: Use the pkg.linux.notools build profile
|
||||||
* test-patches: Set default number of jobs to number of available processors
|
* test-patches: Set default number of jobs to number of available processors
|
||||||
|
* dccp: Disable auto-loading as mitigation against local exploits
|
||||||
|
|
||||||
[ Roger Shimizu ]
|
[ Roger Shimizu ]
|
||||||
* [armel] ARM: dts: orion5x-lschl: Fix model name
|
* [armel] ARM: dts: orion5x-lschl: Fix model name
|
||||||
|
|
41
debian/patches/debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch
vendored
Normal file
41
debian/patches/debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch
vendored
Normal file
|
@ -0,0 +1,41 @@
|
||||||
|
From: Ben Hutchings <ben@decadent.org.uk>
|
||||||
|
Date: Thu, 16 Feb 2017 19:09:17 +0000
|
||||||
|
Subject: dccp: Disable auto-loading as mitigation against local exploits
|
||||||
|
Forwarded: not-needed
|
||||||
|
|
||||||
|
We can mitigate the effect of vulnerabilities in obscure protocols by
|
||||||
|
preventing unprivileged users from loading the modules, so that they
|
||||||
|
are only exploitable on systems where the administrator has chosen to
|
||||||
|
load the protocol.
|
||||||
|
|
||||||
|
The 'dccp' protocol is not actively maintained or widely used.
|
||||||
|
Therefore disable auto-loading.
|
||||||
|
|
||||||
|
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||||
|
---
|
||||||
|
--- a/net/dccp/ipv4.c
|
||||||
|
+++ b/net/dccp/ipv4.c
|
||||||
|
@@ -1071,8 +1071,8 @@ module_exit(dccp_v4_exit);
|
||||||
|
* values directly, Also cover the case where the protocol is not specified,
|
||||||
|
* i.e. net-pf-PF_INET-proto-0-type-SOCK_DCCP
|
||||||
|
*/
|
||||||
|
-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 33, 6);
|
||||||
|
-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 0, 6);
|
||||||
|
+/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 33, 6); */
|
||||||
|
+/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 0, 6); */
|
||||||
|
MODULE_LICENSE("GPL");
|
||||||
|
MODULE_AUTHOR("Arnaldo Carvalho de Melo <acme@mandriva.com>");
|
||||||
|
MODULE_DESCRIPTION("DCCP - Datagram Congestion Controlled Protocol");
|
||||||
|
--- a/net/dccp/ipv6.c
|
||||||
|
+++ b/net/dccp/ipv6.c
|
||||||
|
@@ -1125,8 +1125,8 @@ module_exit(dccp_v6_exit);
|
||||||
|
* values directly, Also cover the case where the protocol is not specified,
|
||||||
|
* i.e. net-pf-PF_INET6-proto-0-type-SOCK_DCCP
|
||||||
|
*/
|
||||||
|
-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 33, 6);
|
||||||
|
-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 0, 6);
|
||||||
|
+/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 33, 6); */
|
||||||
|
+/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 0, 6); */
|
||||||
|
MODULE_LICENSE("GPL");
|
||||||
|
MODULE_AUTHOR("Arnaldo Carvalho de Melo <acme@mandriva.com>");
|
||||||
|
MODULE_DESCRIPTION("DCCPv6 - Datagram Congestion Controlled Protocol");
|
|
@ -29,6 +29,7 @@ features/all/aufs4/aufs4-standalone.patch
|
||||||
debian/af_802154-Disable-auto-loading-as-mitigation-against.patch
|
debian/af_802154-Disable-auto-loading-as-mitigation-against.patch
|
||||||
debian/rds-Disable-auto-loading-as-mitigation-against-local.patch
|
debian/rds-Disable-auto-loading-as-mitigation-against-local.patch
|
||||||
debian/decnet-Disable-auto-loading-as-mitigation-against-lo.patch
|
debian/decnet-Disable-auto-loading-as-mitigation-against-lo.patch
|
||||||
|
debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch
|
||||||
debian/fs-enable-link-security-restrictions-by-default.patch
|
debian/fs-enable-link-security-restrictions-by-default.patch
|
||||||
|
|
||||||
# Set various features runtime-disabled by default
|
# Set various features runtime-disabled by default
|
||||||
|
|
Loading…
Reference in New Issue