* [PATCH 1/2] module: add CONFIG_MODULE_RESTRICT_AUTOLOAD
2026-05-15 17:20 [PATCH 0/2] module: restrict module auto-loading to privileged users Michal Gorlas
@ 2026-05-15 17:20 ` Michal Gorlas
2026-05-15 17:20 ` [PATCH 2/2] module: restrict autoload to CAP_SYS_ADMIN if CONFIG_MODULE_RESTRICT_AUTOLOAD Michal Gorlas
1 sibling, 0 replies; 3+ messages in thread
From: Michal Gorlas @ 2026-05-15 17:20 UTC (permalink / raw)
To: Jonathan Corbet, Shuah Khan, Luis Chamberlain, Petr Pavlu,
Daniel Gomez, Sami Tolvanen, Aaron Tomlin
Cc: linux-doc, linux-kernel, linux-modules, Michal Gorlas
Add CONFIG_MODULE_RESTRICT_AUTOLOAD and modrestrict parameter
documentation.
Signed-off-by: Michal Gorlas <michal.gorlas@9elements.com>
---
Documentation/admin-guide/kernel-parameters.txt | 5 +++++
kernel/module/Kconfig | 15 +++++++++++++++
2 files changed, 20 insertions(+)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 03a550630644..1013104f0943 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -4185,6 +4185,11 @@ Kernel parameters
For details see:
Documentation/admin-guide/hw-vuln/processor_mmio_stale_data.rst
+ modrestrict=<bool>
+ Control the restriction of module auto-loading to
+ CAP_SYS_ADMIN. If no <bool> value is specified, this
+ is set to the value of CONFIG_MODULE_RESTRICT_AUTOLOAD.
+
<module>.async_probe[=<bool>] [KNL]
If no <bool> value is specified or if the value
specified is not a valid <bool>, enable asynchronous
diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig
index 43b1bb01fd27..c9e01bb848c0 100644
--- a/kernel/module/Kconfig
+++ b/kernel/module/Kconfig
@@ -337,6 +337,21 @@ config MODULE_SIG_HASH
endif # MODULE_SIG || IMA_APPRAISE_MODSIG
+config MODULE_RESTRICT_AUTOLOAD
+ bool "Restrict module auto-loading to privileged users"
+ default n
+ help
+ Restrict module auto-loading in response to use of some feature
+ implemented by an unloaded module to CAP_SYS_ADMIN. Enabling this
+ option helps reducing the attack surface where unprivileged users
+ can abuse auto-loading to cause a vulnerable module to load that is
+ then exploited.
+
+ Note that this option also prevents a benign use of auto-loading for
+ a non-root users. Thus if enabled, the root user should execute
+ modprobe manually if needed, or add the module to the list of modules
+ loaded at the boot by modifying init scripts.
+
config MODULE_COMPRESS
bool "Module compression"
help
--
2.54.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH 2/2] module: restrict autoload to CAP_SYS_ADMIN if CONFIG_MODULE_RESTRICT_AUTOLOAD
2026-05-15 17:20 [PATCH 0/2] module: restrict module auto-loading to privileged users Michal Gorlas
2026-05-15 17:20 ` [PATCH 1/2] module: add CONFIG_MODULE_RESTRICT_AUTOLOAD Michal Gorlas
@ 2026-05-15 17:20 ` Michal Gorlas
1 sibling, 0 replies; 3+ messages in thread
From: Michal Gorlas @ 2026-05-15 17:20 UTC (permalink / raw)
To: Jonathan Corbet, Shuah Khan, Luis Chamberlain, Petr Pavlu,
Daniel Gomez, Sami Tolvanen, Aaron Tomlin
Cc: linux-doc, linux-kernel, linux-modules, Michal Gorlas
Restrict module auto-loading to CAP_SYS_ADMIN if
CONFIG_MODULE_RESTRICT_AUTOLOAD is enabled, cmdline parameter
modrestrict=true, or kernel.modrestrict=1 is set with sysctl.
Signed-off-by: Michal Gorlas <michal.gorlas@9elements.com>
---
kernel/module/internal.h | 1 +
kernel/module/kmod.c | 5 +++++
kernel/module/main.c | 11 +++++++++++
3 files changed, 17 insertions(+)
diff --git a/kernel/module/internal.h b/kernel/module/internal.h
index 061161cc79d9..496d8703f0c6 100644
--- a/kernel/module/internal.h
+++ b/kernel/module/internal.h
@@ -46,6 +46,7 @@ struct kernel_symbol {
extern struct mutex module_mutex;
extern struct list_head modules;
+extern bool module_autoload_restrict;
extern const struct module_attribute *const modinfo_attrs[];
extern const size_t modinfo_attrs_count;
diff --git a/kernel/module/kmod.c b/kernel/module/kmod.c
index a25dccdf7aa7..58b28c23f571 100644
--- a/kernel/module/kmod.c
+++ b/kernel/module/kmod.c
@@ -156,6 +156,11 @@ int __request_module(bool wait, const char *fmt, ...)
if (ret)
return ret;
+ if (module_autoload_restrict && !capable(CAP_SYS_ADMIN)) {
+ pr_alert("denied attempt to auto-load module %s\n", module_name);
+ return -EPERM;
+ }
+
ret = down_timeout(&kmod_concurrent_max, MAX_KMOD_ALL_BUSY_TIMEOUT * HZ);
if (ret) {
pr_warn_ratelimited("request_module: modprobe %s cannot be processed, kmod busy with %d threads for more than %d seconds now",
diff --git a/kernel/module/main.c b/kernel/module/main.c
index 46dd8d25a605..a293b75ce9b7 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -130,6 +130,10 @@ static void mod_update_bounds(struct module *mod)
static int modules_disabled;
core_param(nomodule, modules_disabled, bint, 0);
+/* Restrict auto-loading? */
+bool module_autoload_restrict = IS_ENABLED(CONFIG_MODULE_RESTRICT_AUTOLOAD);
+core_param(modrestrict, module_autoload_restrict, bool, 0);
+
static const struct ctl_table module_sysctl_table[] = {
{
.procname = "modprobe",
@@ -148,6 +152,13 @@ static const struct ctl_table module_sysctl_table[] = {
.extra1 = SYSCTL_ONE,
.extra2 = SYSCTL_ONE,
},
+ {
+ .procname = "modrestrict",
+ .data = &module_autoload_restrict,
+ .maxlen = sizeof(bool),
+ .mode = 0644,
+ .proc_handler = proc_dobool,
+ },
};
static int __init init_module_sysctl(void)
--
2.54.0
^ permalink raw reply related [flat|nested] 3+ messages in thread