Stephen Hahn <[EMAIL PROTECTED]> wrote:
> * Richard L. Hamilton <[EMAIL PROTECTED]> [2007-10-31 19:51]:
> > Is there a way to disallow further kernel module load/unload
> > operations (including automatic loading of modules) pending (a) reboot
> > (for security too), or in a less dire form (b) pending an explicit
> > unlock request? (not sure the latter is actually needed)
>
> There's no supported way to do this, but bfu does it in an unsupported
> fashion:
>
> $ ggrep -B2 moddebug /ws/onnv-gate/public/bin/bfu
> print "Disabling kernel module unloading ... \c"
> test -x /usr/bin/adb || fail "/usr/bin/adb not found: bfu not safe."
> echo "moddebug/W20000" | adb -kw /dev/ksyms /dev/mem | grep moddebug
>
> I suspect we'll add an actual interface--there are a couple of related
> requests, like load all modules and then block load/unload, to
> consider--to support some of the install/upgrade/packaging operations
> we'd like to make safe.
FreeBSD make it to prevent new modules to be loaded. If you still can load any
new module, the system may load a trojan horse. Having a working method to only
load signed modules would allow to have similar security.
Jörg
--
EMail:[EMAIL PROTECTED] (home) Jörg Schilling D-13353 Berlin
[EMAIL PROTECTED] (uni)
[EMAIL PROTECTED] (work) Blog: http://schily.blogspot.com/
URL: http://cdrecord.berlios.de/old/private/ ftp://ftp.berlios.de/pub/schily
_______________________________________________
opensolaris-code mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/opensolaris-code
