From ca16c8cf1e27910347a6132f83d5f3e9cafb8483 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 16 Feb 2017 19:09:17 +0000 Subject: [PATCH] dccp: Disable auto-loading as mitigation against local exploits Forwarded: not-needed We can mitigate the effect of vulnerabilities in obscure protocols by preventing unprivileged users from loading the modules, so that they are only exploitable on systems where the administrator has chosen to load the protocol. The 'dccp' protocol is not actively maintained or widely used. Therefore disable auto-loading. Signed-off-by: Ben Hutchings Gbp-Pq: Topic debian Gbp-Pq: Name dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch --- net/dccp/ipv4.c | 4 ++-- net/dccp/ipv6.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c index 9fe6d967971..65e5d93882d 100644 --- a/net/dccp/ipv4.c +++ b/net/dccp/ipv4.c @@ -1093,8 +1093,8 @@ module_exit(dccp_v4_exit); * values directly, Also cover the case where the protocol is not specified, * i.e. net-pf-PF_INET-proto-0-type-SOCK_DCCP */ -MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 33, 6); -MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 0, 6); +/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 33, 6); */ +/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 0, 6); */ MODULE_LICENSE("GPL"); MODULE_AUTHOR("Arnaldo Carvalho de Melo "); MODULE_DESCRIPTION("DCCP - Datagram Congestion Controlled Protocol"); diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c index e0b0bf75a46..95f21096ede 100644 --- a/net/dccp/ipv6.c +++ b/net/dccp/ipv6.c @@ -1174,8 +1174,8 @@ module_exit(dccp_v6_exit); * values directly, Also cover the case where the protocol is not specified, * i.e. net-pf-PF_INET6-proto-0-type-SOCK_DCCP */ -MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 33, 6); -MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 0, 6); +/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 33, 6); */ +/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 0, 6); */ MODULE_LICENSE("GPL"); MODULE_AUTHOR("Arnaldo Carvalho de Melo "); MODULE_DESCRIPTION("DCCPv6 - Datagram Congestion Controlled Protocol"); -- 2.30.2