Joerg Schilling wrote: > Stephen Hahn <[EMAIL PROTECTED]> wrote: > >> * Richard L. Hamilton <[EMAIL PROTECTED]> [2007-10-31 19:51]: >>> Is there a way to disallow further kernel module load/unload >>> operations (including automatic loading of modules) pending (a) reboot >>> (for security too), or in a less dire form (b) pending an explicit >>> unlock request? (not sure the latter is actually needed) >> There's no supported way to do this, but bfu does it in an unsupported >> fashion: >> >> $ ggrep -B2 moddebug /ws/onnv-gate/public/bin/bfu >> print "Disabling kernel module unloading ... \c" >> test -x /usr/bin/adb || fail "/usr/bin/adb not found: bfu not safe." >> echo "moddebug/W20000" | adb -kw /dev/ksyms /dev/mem | grep moddebug >> >> I suspect we'll add an actual interface--there are a couple of related >> requests, like load all modules and then block load/unload, to >> consider--to support some of the install/upgrade/packaging operations >> we'd like to make safe. > > FreeBSD make it to prevent new modules to be loaded. If you still can load any > new module, the system may load a trojan horse. Having a working method to > only > load signed modules would allow to have similar security.
That depends on the policy and who you trust and how you protect the trust anchors; but I "security" isn't the only reason for needing module loading lockout. -- Darren J Moffat _______________________________________________ opensolaris-code mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/opensolaris-code
