Re: Sealing the kernel

Dimitris Margaritis (Dimitris_Margaritis@mind.learning.cs.cmu.edu)
Wed, 27 Oct 1999 20:11:44 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: James Turinsky: "2.3.23 compile error: undefined reference to ide_dmaproc"
Previous message: Darrell Wright: "Re: access beyond end of device errors in 2.2.13pre18 AND 2.2.5"
Maybe in reply to: John Langford: "Sealing the kernel"

> Dimitris Margaritis <Dimitris_Margaritis@sage.learning.cs.cmu.edu> said:
>
> [...]
>
> > Yes, John forgot to mention that we're assuming boot from a read-only
> > media such as a write-protected floppy or CD-ROM. We also assume
> > that the rc scripts, kernel, and all modules to be loaded at boot
> > time (before of course the sealing module) also reside on that medium.
>
> If it is _that_ important, a few Kb in resident drivers, etc is not a big
> deal. Just disable module loading for good, close reading/writing of
> /dev/mem, etc. That is _much_ easier to do than the mentioned idea, and
> even has some chance of getting audited properly.
> --
> Horst von Brand vonbrand@sleipnir.valparaiso.cl
> Casilla 9G, Via del Mar, Chile +56 32 672616

What you say doesn't compute. That's what the "mentioned idea" does,
disables module loading and /dev/mem and /dev/kmem. Or are you
referring to the need to have boot from read-only media? If so,
that's necessary because a cracker that has root may (for example)
simply delete seal.o and reboot.

-- Dimitris

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/

Next message: James Turinsky: "2.3.23 compile error: undefined reference to ide_dmaproc"
Previous message: Darrell Wright: "Re: access beyond end of device errors in 2.2.13pre18 AND 2.2.5"
Maybe in reply to: John Langford: "Sealing the kernel"