All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jim Nelson <james4765@verizon.net>
To: linux-kernel@vger.kernel.org
Subject: Question about /dev/mem and /dev/kmem
Date: Sun, 28 Nov 2004 22:57:26 -0500	[thread overview]
Message-ID: <41AA9E26.4070105@verizon.net> (raw)

I was looking at some articles about rootkits on monolithic kernels, and had a 
thought.  Would a kernel config option to disable write access to /dev/mem and 
/dev/kmem be a workable idea?

I know it'll kill X (unless you're using the framebuffer X server), but would 
there be any other big problems?  SELinux has a finer-grained control over those 
files, but also involves a bit of administrative and system overhead.

I see this as an option that could be used in routers, web servers, firewalls and 
other systems that have a greater risk of exposure to rootkits.  Granted, it only 
makes sense with a monolithic kernel, but most people nowadays would only use 
monolithic kernels for security reasons.  You could also put a couple of 
printk()'s in to raise alarms if someone does try to open the device file for writing.

Am I speaking ex rectum?  Granted, I'm kinda new to this, but I can't see any 
reason not to offer the choice to someone compiling a kernel - and I think it 
could be done with a minimum of code bloat.

I offer this to the firing range ;)

Jim

             reply	other threads:[~2004-11-29  3:57 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-11-29  3:57 Jim Nelson [this message]
2004-11-29  4:45 ` Question about /dev/mem and /dev/kmem Matan Peled
2004-11-29  8:04 ` Arjan van de Ven
2004-11-29  9:39 ` Wichert Akkerman
2004-11-29 10:47   ` Jim Nelson
2004-11-29 11:45     ` Alan Cox
2004-11-29 12:36     ` Wichert Akkerman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=41AA9E26.4070105@verizon.net \
    --to=james4765@verizon.net \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.