oss-sec mailing list archives

Re: Recent Kernel exploits, attack surface reduction, example IPSEC

From: Donald Buczek <buczek () molgen mpg de>
Date: Sun, 17 May 2026 15:48:00 +0200

On 5/16/26 17:09, Bernhard R. Link wrote:

Security wise, supporting allow-lists instead of only deny-lists
would make it easier for systems where you know beforehand what you
want (I guess many server systems might end up in there). Of course
you can just load everything and disable module loading, but then
you'll need a restart whenever what you load needs to be changed.


By the way, I've just added such a feature to kmod for us:

https://github.molgen.mpg.de/mariux64/kmod/compare/v34.2...v34.2-mpi

Previously, we experimented with a wrapper script for /proc/sys/kernel/modprobe:

https://github.molgen.mpg.de/mariux64/mxtools/pull/532

But this would guard only the modules requested by the kernel, not the modules
pulled in as dependencies. So I think we'll discontinue that approach and use
the kmod modification instead.

Best
Donald
--
Donald Buczek
buczek () molgen mpg de
Tel: +49 30 8413 1433

Current thread:

Recent Kernel exploits, attack surface reduction, example IPSEC Hanno Böck (May 16)
- Re: Recent Kernel exploits, attack surface reduction, example IPSEC Valtteri Vuorikoski (May 16)
- Re: Recent Kernel exploits, attack surface reduction, example IPSEC Agostino Sarubbo (May 16)
- Re: Recent Kernel exploits, attack surface reduction, example IPSEC Bernhard R. Link (May 16)
  - Re: Recent Kernel exploits, attack surface reduction, example IPSEC Donald Buczek (May 17)
- Re: Recent Kernel exploits, attack surface reduction, example IPSEC Lionel Debroux (May 16)
- Re: Recent Kernel exploits, attack surface reduction, example IPSEC Jeffrey Walton (May 16)