Re: Disabling module loading with a module?

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Richard Dynes: "Re: Thread debugging cause unknow signal ? with gdb 4.18 and libc6"
• Previous message: Alan Cox: "Re: Linux 2.2.12pre"
• In reply to: Matthew Kirkwood: "Re: PROBLEM: 2.2.11 'Out of memory' on 256MB DELL WS400 in minutes!"
• Next in thread: Matthew Wilcox: "Re: Disabling module loading with a module?"

> > Send ~(1 << CAP_SYS_RAWIO) (4294836223) in there to protect direct against
> > hardware access, and /dev/port, /dev/kmem, /dev/mem and (as of 2.3.14pre1)
> > /proc/kcore.
> >
> > With these two disabled, there should be no way to modify the kernel.

> I was talking about an already crack box, and echo 0 is as easy as
> echo 1 :-)

These restrictions can only be increased (except by init).

If I:
# echo 0 > /proc/sys/kern/cap_bset

then (without somehow compromising init) there is no way for anybody
(including root) to modify the kernel, put the network device into
promisc mode or do any other nasties. (An awful lot of things will
break if you put zero into that file, BTW.)

> > (Interesting diversion: what about systems with swappable kernel code?
> > We'd have to deny access to block devices too, in that case.)

> Nope, because afaik the kernel never gets swapped out.

I meant other operating systems, rather than specific boxes.

Matthew.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

• Next message: Richard Dynes: "Re: Thread debugging cause unknow signal ? with gdb 4.18 and libc6"
• Previous message: Alan Cox: "Re: Linux 2.2.12pre"
• In reply to: Matthew Kirkwood: "Re: PROBLEM: 2.2.11 'Out of memory' on 256MB DELL WS400 in minutes!"
• Next in thread: Matthew Wilcox: "Re: Disabling module loading with a module?"