New issue
Advanced search Search tips

Issue 699623 link

Starred by 0 users
Status: Untriaged
Owner: ----
Cc:
mnissler@chromium.org
vapier@chromium.org
keescook@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Feature



Sign in to add a comment

support CONFIG_STATIC_USERMODEHELPER

Project Member Reported by vapier@chromium.org, Mar 8 2017 
upstream has added a new feature:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=64e90a8acb8590c2468c919f803652f081e3a4bf

this would allow us to filter all usermode programs the kernel calls and reject any that had been messed with.  we've been bitten before when things like /proc/sys/kernel/modprobe were modified to point elsewhere.

we'll have to:
(1) backport that patch to all our kernels (looks pretty easy)
(2) write a new program that would whitelist specific binaries (and exec them) and log+crash on all others
(3) write an ebuild for it & include it in the base OS
(4) turn it on in all our kernel configs
Project Member

Comment 1 by bugdroid1@chromium.org, Nov 23 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/autotest/+/1217ea5c2331fac1d8f050b47d18609e52a5e5a6

commit 1217ea5c2331fac1d8f050b47d18609e52a5e5a6
Author: Mike Frysinger <vapier@chromium.org>
Date: Thu Nov 23 01:29:41 2017

kernel_ConfigVerify: make sure FW_LOADER_USER_HELPER is disabled

We've disabled this in all our kernels forever, so shouldn't be a problem
enforcing this moving forward.

BUG=chromium:699623
TEST=precq passes

Change-Id: I82362da12632c99a386f918b5b25cfa387458386
Reviewed-on: https://chromium-review.googlesource.com/783311
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>

[modify] https://crrev.com/1217ea5c2331fac1d8f050b47d18609e52a5e5a6/client/site_tests/kernel_ConfigVerify/kernel_ConfigVerify.py
Project Member

Comment 2 by sheriffbot@chromium.org, Nov 23

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment