From: Nix <nix@esperi.org.uk>
To: David Lang <david.lang@digitalinsight.com>
Cc: Lee Revell <rlrevell@joe-job.com>, Hua Zhong <hzhong@gmail.com>,
marekw1977@yahoo.com.au, linux-kernel@vger.kernel.org
Subject: Re: Automatic Configuration of a Kernel
Date: Thu, 15 Sep 2005 15:58:38 +0100 [thread overview]
Message-ID: <87zmqextr5.fsf@amaterasu.srvr.nix> (raw)
In-Reply-To: <Pine.LNX.4.62.0509150313500.9384@qynat.qvtvafvgr.pbz> (David Lang's message of "15 Sep 2005 11:30:52 +0100")
On 15 Sep 2005, David Lang yowled:
> 5. once kmem and mem can be made read-only there is a security
> advantage in not having kernel modules available (yes the machine can
> be rebooted into a new kernel, but that's easier to detect then a
> module getting loaded)
Here, have a small patch (against 2.6.12.x, but easily forward-portable)
that eliminates that advantage:
diff -durN linux-2.6.12.1-seal-orig/include/linux/kernel.h linux-2.6.12.1-seal/include/linux/kernel.h
--- linux-2.6.12.1-seal-orig/include/linux/kernel.h 2005-06-27 19:28:54.000000000 +0100
+++ linux-2.6.12.1-seal/include/linux/kernel.h 2005-06-27 22:21:48.000000000 +0100
@@ -165,6 +165,9 @@
extern int tainted;
extern const char *print_tainted(void);
extern void add_taint(unsigned);
+#ifdef CONFIG_MODULE_SEAL
+extern int module_seal;
+#endif
/* Values used for system_state */
extern enum system_states {
diff -durN linux-2.6.12.1-seal-orig/include/linux/sysctl.h linux-2.6.12.1-seal/include/linux/sysctl.h
--- linux-2.6.12.1-seal-orig/include/linux/sysctl.h 2005-06-27 19:28:57.000000000 +0100
+++ linux-2.6.12.1-seal/include/linux/sysctl.h 2005-06-27 22:26:12.000000000 +0100
@@ -136,6 +136,7 @@
KERN_UNKNOWN_NMI_PANIC=66, /* int: unknown nmi panic flag */
KERN_BOOTLOADER_TYPE=67, /* int: boot loader type */
KERN_RANDOMIZE=68, /* int: randomize virtual address space */
+ KERN_MODULE_SEAL=69, /* int: module loading forbidden */
};
@@ -801,6 +802,8 @@
void __user *, size_t *, loff_t *);
extern int proc_dointvec_bset(ctl_table *, int, struct file *,
void __user *, size_t *, loff_t *);
+extern int proc_dointvec_seal(ctl_table *table, int write, struct file *filp,
+ void __user *buffer, size_t *lenp, loff_t *ppos);
extern int proc_dointvec_minmax(ctl_table *, int, struct file *,
void __user *, size_t *, loff_t *);
extern int proc_dointvec_jiffies(ctl_table *, int, struct file *,
diff -durN linux-2.6.12.1-seal-orig/init/Kconfig linux-2.6.12.1-seal/init/Kconfig
--- linux-2.6.12.1-seal-orig/init/Kconfig 2005-06-27 19:28:59.000000000 +0100
+++ linux-2.6.12.1-seal/init/Kconfig 2005-06-27 22:21:49.000000000 +0100
@@ -463,6 +463,16 @@
the version). With this option, such a "srcversion" field
will be created for all modules. If unsure, say N.
+config MODULE_SEAL
+ bool "Module sealing support"
+ depends on MODULES && PROC_FS
+ help
+ This option provides a file /proc/sys/kernel/module_seal,
+ initially containing the value 0. If it is set to a non-zero
+ value, all module loading and unloading will be prohibited
+ until the next reboot: further changes to the flag will be
+ ignored.
+
config KMOD
bool "Automatic kernel module loading"
depends on MODULES
diff -durN linux-2.6.12.1-seal-orig/kernel/module.c linux-2.6.12.1-seal/kernel/module.c
--- linux-2.6.12.1-seal-orig/kernel/module.c 2005-06-27 19:28:59.000000000 +0100
+++ linux-2.6.12.1-seal/kernel/module.c 2005-06-27 22:21:49.000000000 +0100
@@ -49,6 +49,10 @@
#define ARCH_SHF_SMALL 0
#endif
+#ifdef CONFIG_MODULE_SEAL
+int module_seal = 0;
+#endif
+
/* If this is set, the section belongs in the init part of the module */
#define INIT_OFFSET_MASK (1UL << (BITS_PER_LONG-1))
@@ -1765,6 +1769,12 @@
if (!capable(CAP_SYS_MODULE))
return -EPERM;
+#ifdef CONFIG_MODULE_SEAL
+ /* Must not be sealed */
+ if (module_seal)
+ return -EPERM;
+#endif
+
/* Only one module load at a time, please */
if (down_interruptible(&module_mutex) != 0)
return -EINTR;
diff -durN linux-2.6.12.1-seal-orig/kernel/sysctl.c linux-2.6.12.1-seal/kernel/sysctl.c
--- linux-2.6.12.1-seal-orig/kernel/sysctl.c 2005-06-27 19:29:00.000000000 +0100
+++ linux-2.6.12.1-seal/kernel/sysctl.c 2005-06-27 22:21:49.000000000 +0100
@@ -589,6 +589,16 @@
.mode = 0644,
.proc_handler = &proc_dointvec,
},
+#ifdef CONFIG_MODULE_SEAL
+ {
+ .ctl_name = KERN_MODULE_SEAL,
+ .procname = "module_seal",
+ .data = &module_seal,
+ .maxlen = sizeof(int),
+ .mode = 0600,
+ .proc_handler = &proc_dointvec_seal,
+ },
+#endif
{
.ctl_name = KERN_PRINTK_RATELIMIT,
.procname = "printk_ratelimit",
@@ -1663,6 +1673,22 @@
do_proc_dointvec_bset_conv,&op);
}
+#ifdef CONFIG_MODULE_SEAL
+/*
+ * You can't change the seal unless it's zero.
+ */
+
+int proc_dointvec_seal(ctl_table *table, int write, struct file *filp,
+ void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+ if (module_seal != 0) {
+ return -EPERM;
+ }
+
+ return do_proc_dointvec(table,write,filp,buffer,lenp,ppos,NULL,NULL);
+}
+#endif
+
struct do_proc_dointvec_minmax_conv_param {
int *min;
int *max;
--
`One cannot, after all, be expected to read every single word
of a book whose author one wishes to insult.' --- Richard Dawkins
next prev parent reply other threads:[~2005-09-15 14:59 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-09-14 22:38 Automatic Configuration of a Kernel Ahmad Reza Cheraghi
2005-09-14 22:53 ` Michal Piotrowski
2005-09-14 23:49 ` Daniel Thaler
2005-09-15 0:09 ` Marek W
2005-09-15 0:37 ` Hua Zhong
2005-09-15 2:03 ` David Lang
2005-09-15 3:04 ` Lee Revell
2005-09-15 3:37 ` Daniel Thaler
2005-09-15 4:16 ` Lee Revell
2005-09-15 8:12 ` Ahmad Reza Cheraghi
2005-09-15 11:20 ` Masoud Sharbiani
2005-09-15 20:58 ` Ahmad Reza Cheraghi
2005-09-15 21:04 ` Jesper Juhl
2005-09-15 4:18 ` Marek W
2005-09-15 6:18 ` Valdis.Kletnieks
2005-09-15 7:33 ` Marek W
2005-09-15 9:48 ` Ahmad Reza Cheraghi
2005-09-15 10:44 ` David Lang
2005-09-15 10:26 ` David Lang
2005-09-15 14:58 ` Nix [this message]
2005-09-15 17:08 ` David Lang
2005-09-15 20:36 ` Valdis.Kletnieks
2005-09-15 20:50 ` Nix
2005-09-15 8:53 ` Chris White
2005-09-15 7:58 ` Ahmad Reza Cheraghi
2005-09-15 9:12 ` Emmanuel Fleury
2005-09-15 9:56 ` Ahmad Reza Cheraghi
2005-09-16 4:02 ` Chris White
2005-09-16 7:12 ` Emmanuel Fleury
2005-09-16 17:38 ` Pavel Machek
2005-09-16 17:50 ` Enrico Weigelt
2005-09-15 11:21 ` Roman Zippel
2005-09-15 12:01 ` Emmanuel Fleury
2005-09-15 13:02 ` Ahmad Reza Cheraghi
2005-09-15 13:28 ` Emmanuel Fleury
2005-09-15 13:03 ` Ahmad Reza Cheraghi
2005-09-17 1:27 ` Roman Zippel
2005-09-16 8:11 ` Coywolf Qi Hunt
2005-09-16 8:19 ` Emmanuel Fleury
2005-09-16 8:32 ` Ahmad Reza Cheraghi
2005-09-16 8:50 ` Emmanuel Fleury
2005-09-16 9:19 ` Ahmad Reza Cheraghi
-- strict thread matches above, loose matches on Subject: below --
2005-09-26 12:08 Ahmad Reza Cheraghi
2005-09-26 13:57 ` Michal Piotrowski
2005-09-26 14:06 ` Michal Piotrowski
2005-09-27 8:05 ` Coywolf Qi Hunt
2005-09-27 8:11 ` Emmanuel Fleury
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zmqextr5.fsf@amaterasu.srvr.nix \
--to=nix@esperi.org.uk \
--cc=david.lang@digitalinsight.com \
--cc=hzhong@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=marekw1977@yahoo.com.au \
--cc=rlrevell@joe-job.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.