From: Ben Hutchings <ben@decadent.org.uk>
Date: Thu, 16 Feb 2017 19:09:17 +0000 (+0000)
Subject: dccp: Disable auto-loading as mitigation against local exploits
X-Git-Tag: archive/raspbian/4.9.13-1+rpi1~11^2~95
X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com//styles.css/%22http:/www.example.com/styles.css?a=commitdiff_plain;h=20fdba02d295a2aad00756348da685bbc07a314c;p=linux-4.9.git

dccp: Disable auto-loading as mitigation against local exploits

We can mitigate the effect of vulnerabilities in obscure protocols by
preventing unprivileged users from loading the modules, so that they
are only exploitable on systems where the administrator has chosen to
load the protocol.

The 'dccp' protocol is not actively maintained or widely used.
Therefore disable auto-loading.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

Gbp-Pq: Topic debian
Gbp-Pq: Name dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch
---

diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index edbe59d203ef..c7d7b1f809fe 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -1071,8 +1071,8 @@ module_exit(dccp_v4_exit);
  * values directly, Also cover the case where the protocol is not specified,
  * i.e. net-pf-PF_INET-proto-0-type-SOCK_DCCP
  */
-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 33, 6);
-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 0, 6);
+/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 33, 6); */
+/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 0, 6); */
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Arnaldo Carvalho de Melo <acme@mandriva.com>");
 MODULE_DESCRIPTION("DCCP - Datagram Congestion Controlled Protocol");
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 7506c03a7db9..3e75aa3b1a40 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -1125,8 +1125,8 @@ module_exit(dccp_v6_exit);
  * values directly, Also cover the case where the protocol is not specified,
  * i.e. net-pf-PF_INET6-proto-0-type-SOCK_DCCP
  */
-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 33, 6);
-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 0, 6);
+/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 33, 6); */
+/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 0, 6); */
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Arnaldo Carvalho de Melo <acme@mandriva.com>");
 MODULE_DESCRIPTION("DCCPv6 - Datagram Congestion Controlled Protocol");