Bug 12383

Summary:	CONFIG_MODIFY_LDT_SYSCALL is enabled on i586 and x86_64
Product:	IPFire	Reporter:	Peter Müller <peter.mueller>
Component:	---	Assignee:	Peter Müller <peter.mueller>
Status:	CLOSED FIXED	QA Contact:
Severity:	Security
Priority:	- Unknown -
Version:	2
Hardware:	unspecified
OS:	All
Bug Depends on:
Bug Blocks:	12361

Description Peter Müller 2020-04-15 19:21:54 UTC

https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings recommends to disable this.

Quote from https://cateee.net/lkddb/web-lkddb/MODIFY_LDT_SYSCALL.html:

> Linux can allow user programs to install a per-process x86 Local Descriptor
> Table (LDT) using the modify_ldt(2) system call. This is required to run 16-bit
> or segmented code such as DOSEMU or some Wine programs. It is also used by some
> very old threading libraries.
> 
> Enabling this feature adds a small amount of overhead to context switches and
> increases the low-level kernel attack surface. Disabling it removes the
> modify_ldt(2) system call.
> 
> Saying 'N' here may make sense for embedded or server kernels.

I cannot think of a legitimate reason to have this turned on on a firewall.

Comment 1 Peter Müller 2020-06-07 16:34:21 UTC

https://patchwork.ipfire.org/patch/3159/

Comment 2 Peter Müller 2020-06-09 17:09:07 UTC

https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=b1f24c43538fbe2976c96cf21890fbc8dcdeb9d9

Comment 3 Peter Müller 2020-06-20 09:23:36 UTC

https://blog.ipfire.org/post/ipfire-2-25-core-update-146-is-available-for-testing

Comment 4 Peter Müller 2020-07-01 15:15:10 UTC

https://blog.ipfire.org/post/ipfire-2-25-core-update-146-released