New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add file system blacklist file (fate#326832). #5

Merged
merged 2 commits into from Jan 30, 2019
Merged
Changes from 1 commit
Commits
File filter...
Filter file types
Jump to…
Jump to file or symbol
Failed to load files and symbols.
+34 −0
Diff settings

Always

Just for now

Next

modprobe.conf: add file system blacklist file (fate#326832).

Some file systems are not used on most systems but the kernel
will still happily load the modules for them when presented with
a potentially malicious device like a USB stick.  Many of these
have not been maintained except for in-kernel API compatibility
in many years, have not been audited, and may have security
vulnerabilities.

This patch adds a new 60-filesystem-blacklist.conf that prevents
the kernel from autoloading these modules.
  • Loading branch information...
jeffmahoney committed Jan 18, 2019
commit 8cb42fb6658f210cb8c955d584a65f7b041c0575
@@ -0,0 +1,32 @@
# These file systems are not used on most systems but the kernel
# will still happily load the modules for them when presented with
# a potentially malicious device like a USB stick. Many of these
# have not been maintained except for in-kernel API compatibility
# in many years, have not been audited, and may have security vulnerabilities.
#
# The following list only specifies local file systems since those are the
# only ones that will be detected automatically by mount(8).
#
# Enable at your own risk.
#
blacklist adfs
blacklist affs
blacklist bfs
blacklist befs
blacklist cramfs
blacklist efs
blacklist erofs
blacklist exofs
blacklist freevxfs
blacklist f2fs
blacklist hfs
blacklist hpfs
blacklist jffs2

This comment has been minimized.

@richardweinberger

richardweinberger Feb 14, 2019

This is a raw flash filesystem, it does not work on a block device. So there is no way to have this automatically mounted by plugging in a USB thumb drive.

This comment has been minimized.

@jeffmahoney

jeffmahoney Feb 15, 2019

Author Contributor

True, and the code doesn't allow loopback mounts. We can drop jffs2.

blacklist jfs
blacklist minix
blacklist nilfs2
blacklist qnx4
blacklist qnx6
blacklist sysv
blacklist ubifs

This comment has been minimized.

@richardweinberger

richardweinberger Feb 14, 2019

Same as for jffs2. But UBIFS is actively developed and maintained.
I can understand that OpenSUSE blacklists flash filesystems because you need them only on embedded
devices with raw flash. But please don't claim that they are unmaintained/vulnerable.

This comment has been minimized.

@jeffmahoney

jeffmahoney Feb 15, 2019

Author Contributor

The same applies to ubifs. But your more general point is well taken. You're right. Martin Wilck has a newer version of this that creates one file per blacklist entry and has a comment at the top of each. Currently it uses the phrasing " because it isn't actively supported by SUSE, not well maintained, and may have security vulnerabilites."

It would make more sense to change the phrasing to "or" instead of "and."

blacklist ufs
Copy path View file
@@ -74,6 +74,7 @@ install -pm644 "10-unsupported-modules.conf" \
"%{buildroot}%{_sysconfdir}/modprobe.d/"
install -pm644 00-system.conf "%{buildroot}%{_sysconfdir}/modprobe.d/"
install -pm644 modprobe.conf/modprobe.conf.blacklist "%{buildroot}%{_sysconfdir}/modprobe.d/50-blacklist.conf"
install -pm644 modprobe.conf/modprobe.conf.fs-blacklist "%{buildroot}%{_sysconfdir}/modprobe.d/60-filesystem-blacklist.conf"
install -pm644 modprobe.conf/modprobe.conf.local "%{buildroot}%{_sysconfdir}/modprobe.d/99-local.conf"
install -d -m 755 "%{buildroot}%{_sysconfdir}/depmod.d"
install -pm 644 "depmod-00-system.conf" \
@@ -185,6 +186,7 @@ fi
%config %{_sysconfdir}/modprobe.d/00-system.conf
%config(noreplace) %{_sysconfdir}/modprobe.d/10-unsupported-modules.conf
%config(noreplace) %{_sysconfdir}/modprobe.d/50-blacklist.conf
%config(noreplace) %{_sysconfdir}/modprobe.d/60-filesystem-blacklist.conf
%config(noreplace) %{_sysconfdir}/modprobe.d/99-local.conf
%dir %{_sysconfdir}/depmod.d
%config %{_sysconfdir}/depmod.d/00-system.conf
ProTip! Use n and p to navigate between commits in a pull request.