Bug 12383 - CONFIG_MODIFY_LDT_SYSCALL is enabled on i586 and x86_64
Summary: CONFIG_MODIFY_LDT_SYSCALL is enabled on i586 and x86_64
Status: CLOSED FIXED
Alias: None
Product: IPFire
Classification: Unclassified
Component: --- (show other bugs)
Version: 2
Hardware: unspecified All
: - Unknown - Security
Assignee: Peter Müller
QA Contact:
URL:
Keywords:
Depends on:
Blocks: KERNSEC
  Show dependency treegraph
 
Reported: 2020-04-15 19:21 UTC by Peter Müller
Modified: 2020-07-01 15:15 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Müller 2020-04-15 19:21:54 UTC 
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings recommends to disable this.

Quote from https://cateee.net/lkddb/web-lkddb/MODIFY_LDT_SYSCALL.html:

> Linux can allow user programs to install a per-process x86 Local Descriptor
> Table (LDT) using the modify_ldt(2) system call. This is required to run 16-bit
> or segmented code such as DOSEMU or some Wine programs. It is also used by some
> very old threading libraries.
> 
> Enabling this feature adds a small amount of overhead to context switches and
> increases the low-level kernel attack surface. Disabling it removes the
> modify_ldt(2) system call.
> 
> Saying 'N' here may make sense for embedded or server kernels.

I cannot think of a legitimate reason to have this turned on on a firewall.
Comment 1 Peter Müller 2020-06-07 16:34:21 UTC 
https://patchwork.ipfire.org/patch/3159/