On Sat, Oct 16, 2010 at 05:07:30AM -0700, Paul Goyette wrote: > autoload/autounload does NOT perform any authorization checks - > please look at the code! No checking of securelevel occurs, as far > as I can see. For autoload, the module name must not contain a > '/', so if the module is being loaded from the file system it must > be loaded from the "blessed" /stand/${ARCH}/${VERSION}/modules > directory. Including the INSECURE option will have no effect on > autoloading of modules.
If this is true it makes securelevel useless; all you need to do is put a hostile module in the right place and cause it to be autoloaded. (Remember the point of securelevel is that even root can't lower it.) It should be sufficient, I think, to check at boot time that any module that can be autoloaded is marked immutable. -- David A. Holland dholl...@netbsd.org