refactor deny_new_usb syctl into usb core sysctl table registration

anthraxx / linux-hardened

Minimal supplement to upstream Kernel Self Protection Project changes. Features already provided by SELinux + Yama and archs other than multiarch arm64 / x86_64 aren't in scope. Only tags have stable history. Shared IRC channel with KSPP: irc.libera.chat #linux-hardening

Other

567 stars 56 forks source link

refactor deny_new_usb syctl into usb core sysctl table registration #50

Closed anthraxx closed 3 years ago

anthraxx commented 4 years ago

It's discouraged to define sysctls in kernel/sysctl.c but as the usb subsystem can be totally isolated into a kernel module, there are no appropriate places to put it in a clean way. It would be better to register a sysctl table in the usb core and use deny_new_usb there, which will work no matter if usb is compiled in or used as a module.

anthraxx commented 4 years ago

proposal implemented in deb5327daa1c14663f77ce3526d80abe74ba4579

anthraxx commented 3 years ago

implemented and backported to all maintained branches