Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1030477AbVIOO7A (ORCPT ); Thu, 15 Sep 2005 10:59:00 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1030480AbVIOO67 (ORCPT ); Thu, 15 Sep 2005 10:58:59 -0400 Received: from 41-052.adsl.zetnet.co.uk ([194.247.41.52]:50706 "EHLO mail.esperi.org.uk") by vger.kernel.org with ESMTP id S1030477AbVIOO67 (ORCPT ); Thu, 15 Sep 2005 10:58:59 -0400 To: David Lang Cc: Lee Revell , Hua Zhong , marekw1977@yahoo.com.au, linux-kernel@vger.kernel.org Subject: Re: Automatic Configuration of a Kernel References: <20050914223836.53814.qmail@web51011.mail.yahoo.com> <6bffcb0e05091415533d563c5a@mail.gmail.com> <4328B710.5080503@in.tum.de> <200509151009.59981.marekw1977@yahoo.com.au> <924c288305091417375fea4ec2@mail.gmail.com> <1126753444.13893.123.camel@mindpipe> From: Nix X-Emacs: it's all fun and games, until somebody tries to edit a file. Date: Thu, 15 Sep 2005 15:58:38 +0100 In-Reply-To: (David Lang's message of "15 Sep 2005 11:30:52 +0100") Message-ID: <87zmqextr5.fsf@amaterasu.srvr.nix> User-Agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.4 (Corporate Culture, linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4993 Lines: 142 On 15 Sep 2005, David Lang yowled: > 5. once kmem and mem can be made read-only there is a security > advantage in not having kernel modules available (yes the machine can > be rebooted into a new kernel, but that's easier to detect then a > module getting loaded) Here, have a small patch (against 2.6.12.x, but easily forward-portable) that eliminates that advantage: diff -durN linux-2.6.12.1-seal-orig/include/linux/kernel.h linux-2.6.12.1-seal/include/linux/kernel.h --- linux-2.6.12.1-seal-orig/include/linux/kernel.h 2005-06-27 19:28:54.000000000 +0100 +++ linux-2.6.12.1-seal/include/linux/kernel.h 2005-06-27 22:21:48.000000000 +0100 @@ -165,6 +165,9 @@ extern int tainted; extern const char *print_tainted(void); extern void add_taint(unsigned); +#ifdef CONFIG_MODULE_SEAL +extern int module_seal; +#endif /* Values used for system_state */ extern enum system_states { diff -durN linux-2.6.12.1-seal-orig/include/linux/sysctl.h linux-2.6.12.1-seal/include/linux/sysctl.h --- linux-2.6.12.1-seal-orig/include/linux/sysctl.h 2005-06-27 19:28:57.000000000 +0100 +++ linux-2.6.12.1-seal/include/linux/sysctl.h 2005-06-27 22:26:12.000000000 +0100 @@ -136,6 +136,7 @@ KERN_UNKNOWN_NMI_PANIC=66, /* int: unknown nmi panic flag */ KERN_BOOTLOADER_TYPE=67, /* int: boot loader type */ KERN_RANDOMIZE=68, /* int: randomize virtual address space */ + KERN_MODULE_SEAL=69, /* int: module loading forbidden */ }; @@ -801,6 +802,8 @@ void __user *, size_t *, loff_t *); extern int proc_dointvec_bset(ctl_table *, int, struct file *, void __user *, size_t *, loff_t *); +extern int proc_dointvec_seal(ctl_table *table, int write, struct file *filp, + void __user *buffer, size_t *lenp, loff_t *ppos); extern int proc_dointvec_minmax(ctl_table *, int, struct file *, void __user *, size_t *, loff_t *); extern int proc_dointvec_jiffies(ctl_table *, int, struct file *, diff -durN linux-2.6.12.1-seal-orig/init/Kconfig linux-2.6.12.1-seal/init/Kconfig --- linux-2.6.12.1-seal-orig/init/Kconfig 2005-06-27 19:28:59.000000000 +0100 +++ linux-2.6.12.1-seal/init/Kconfig 2005-06-27 22:21:49.000000000 +0100 @@ -463,6 +463,16 @@ the version). With this option, such a "srcversion" field will be created for all modules. If unsure, say N. +config MODULE_SEAL + bool "Module sealing support" + depends on MODULES && PROC_FS + help + This option provides a file /proc/sys/kernel/module_seal, + initially containing the value 0. If it is set to a non-zero + value, all module loading and unloading will be prohibited + until the next reboot: further changes to the flag will be + ignored. + config KMOD bool "Automatic kernel module loading" depends on MODULES diff -durN linux-2.6.12.1-seal-orig/kernel/module.c linux-2.6.12.1-seal/kernel/module.c --- linux-2.6.12.1-seal-orig/kernel/module.c 2005-06-27 19:28:59.000000000 +0100 +++ linux-2.6.12.1-seal/kernel/module.c 2005-06-27 22:21:49.000000000 +0100 @@ -49,6 +49,10 @@ #define ARCH_SHF_SMALL 0 #endif +#ifdef CONFIG_MODULE_SEAL +int module_seal = 0; +#endif + /* If this is set, the section belongs in the init part of the module */ #define INIT_OFFSET_MASK (1UL << (BITS_PER_LONG-1)) @@ -1765,6 +1769,12 @@ if (!capable(CAP_SYS_MODULE)) return -EPERM; +#ifdef CONFIG_MODULE_SEAL + /* Must not be sealed */ + if (module_seal) + return -EPERM; +#endif + /* Only one module load at a time, please */ if (down_interruptible(&module_mutex) != 0) return -EINTR; diff -durN linux-2.6.12.1-seal-orig/kernel/sysctl.c linux-2.6.12.1-seal/kernel/sysctl.c --- linux-2.6.12.1-seal-orig/kernel/sysctl.c 2005-06-27 19:29:00.000000000 +0100 +++ linux-2.6.12.1-seal/kernel/sysctl.c 2005-06-27 22:21:49.000000000 +0100 @@ -589,6 +589,16 @@ .mode = 0644, .proc_handler = &proc_dointvec, }, +#ifdef CONFIG_MODULE_SEAL + { + .ctl_name = KERN_MODULE_SEAL, + .procname = "module_seal", + .data = &module_seal, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec_seal, + }, +#endif { .ctl_name = KERN_PRINTK_RATELIMIT, .procname = "printk_ratelimit", @@ -1663,6 +1673,22 @@ do_proc_dointvec_bset_conv,&op); } +#ifdef CONFIG_MODULE_SEAL +/* + * You can't change the seal unless it's zero. + */ + +int proc_dointvec_seal(ctl_table *table, int write, struct file *filp, + void __user *buffer, size_t *lenp, loff_t *ppos) +{ + if (module_seal != 0) { + return -EPERM; + } + + return do_proc_dointvec(table,write,filp,buffer,lenp,ppos,NULL,NULL); +} +#endif + struct do_proc_dointvec_minmax_conv_param { int *min; int *max; -- `One cannot, after all, be expected to read every single word of a book whose author one wishes to insult.' --- Richard Dawkins - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/