From owner-freebsd-security Thu Oct 4 2:30:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from harrier.mail.pas.earthlink.net (harrier.mail.pas.earthlink.net [207.217.121.12]) by hub.freebsd.org (Postfix) with ESMTP id 4AF2937B406 for ; Thu, 4 Oct 2001 02:30:42 -0700 (PDT) Received: from blossom.cjclark.org (dialup-209.247.136.207.Dial1.SanJose1.Level3.net [209.247.136.207]) by harrier.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id CAA14192; Thu, 4 Oct 2001 02:30:38 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id f949UZk14178; Thu, 4 Oct 2001 02:30:35 -0700 (PDT) (envelope-from cjc) Date: Thu, 4 Oct 2001 02:30:34 -0700 From: "Crist J. Clark" To: D J Hawkey Jr Cc: Alexander Langer , deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20011004023034.U8391@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> <20010908181537.A840@ringworld.oblivion.bg> <20010908102816.B77764@sheol.localdomain> <20010908183728.D840@ringworld.oblivion.bg> <20010908105308.A78138@sheol.localdomain> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="h31gzZEtNLTqOjlF" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010908105308.A78138@sheol.localdomain>; from hawkeyd@visi.com on Sat, Sep 08, 2001 at 10:53:08AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --h31gzZEtNLTqOjlF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sat, Sep 08, 2001 at 10:53:08AM -0500, D J Hawkey Jr wrote: > On Sep 08, at 06:37 PM, Peter Pentchev wrote: > > > > > Q: Can the kernel be "forced" to load a module from within itself? That > > > is, does a cracker need to be in userland? > > > > Yes, certainly; all kldload(8) does is invoke the kldload(2) syscall, > > nothing more, nothing userspace-magical. > > All a kernel routine needs to do is either invoke that syscall, or > > call the internal kernel functions that kldload(2) calls, like e.g. > > linker_find_file_by_name() and linker_load_file() in sys/kern/kern_linker.c > > Ah. Well then, as I wrote to Kris, the kernel has to deny KLD loading > altogether, it should be a build-time option, and it should have nothing > to over-ride this. > > Or am I still being too simplistic? I haven't been using KLD- or LKM- > aware systems very long (~one year), but so far I've had little use for > them (the modules). I get a box, I configure the kernel to it, and that's > that. If the box changes, I build a new kernel. At least for the servers > I've set up, this works fine. Now, a development or users' box, well... Yes, I am still catching up on email almost a month old. I went in and made a very simple kernel-build option which disables the use of kldload(2) (and kldunload(2)) at all times. This is not as good as raising securelevel(8) since root can still write to /dev/mem. However, a lot of people in this thread still seem to want this ability. Since you can still write to /dev/mem, it is only raises the bar a bit for an attacker. But it does raise the bar enough to possibly foil a skr1pt k1ddi3 or two. To use the patches, # cd /usr/src # patch < /path/to/sys_patch Add the line, options NO_KLD To your kernel configuration and build it in the usual manner. Have fun. Unless there is outpouring from people who love the idea, I'm not going to commit these to FreeBSD. -- Crist J. Clark cjclark@alum.mit.edu cjclark@jhu.edu cjc@freebsd.org --h31gzZEtNLTqOjlF Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="sys_stable.patch" Index: sys/conf/options =================================================================== RCS file: /export/ncvs/src/sys/conf/options,v retrieving revision 1.191.2.36 diff -u -r1.191.2.36 options --- sys/conf/options 2001/09/15 00:50:35 1.191.2.36 +++ sys/conf/options 2001/10/04 08:21:10 @@ -464,3 +464,6 @@ FDC_DEBUG opt_fdc.h PCFCLOCK_VERBOSE opt_pcfclock.h PCFCLOCK_MAX_RETRIES opt_pcfclock.h + +# Disable loading and unloading of kernel modules +NO_KLD opt_kern_linker.h Index: sys/kern/kern_linker.c =================================================================== RCS file: /export/ncvs/src/sys/kern/kern_linker.c,v retrieving revision 1.41.2.2 diff -u -r1.41.2.2 kern_linker.c --- sys/kern/kern_linker.c 2000/07/16 13:13:32 1.41.2.2 +++ sys/kern/kern_linker.c 2001/10/04 08:10:05 @@ -27,6 +27,7 @@ */ #include "opt_ddb.h" +#include "opt_kern_linker.h" #include #include @@ -648,6 +649,10 @@ int kldload(struct proc* p, struct kldload_args* uap) { +#ifdef NO_KLD + /* Always return error. */ + return EPERM; +#else char* filename = NULL, *modulename; linker_file_t lf; int error = 0; @@ -685,11 +690,16 @@ if (filename) free(filename, M_TEMP); return error; +#endif } int kldunload(struct proc* p, struct kldunload_args* uap) { +#ifdef NO_KLD + /* Always fail. */ + return EPERM; +#else linker_file_t lf; int error = 0; @@ -716,6 +726,7 @@ out: return error; +#endif } int --h31gzZEtNLTqOjlF Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="sys_current.patch" Index: sys/conf/options =================================================================== RCS file: /export/ncvs/src/sys/conf/options,v retrieving revision 1.295 diff -u -r1.295 options --- sys/conf/options 2001/09/29 22:32:00 1.295 +++ sys/conf/options 2001/10/04 08:07:37 @@ -526,3 +527,6 @@ # ed driver ED_NO_MIIBUS opt_ed.h + +# Disable loading and unloading of kernel modules +NO_KLD opt_kern_linker.h Index: sys/i386/conf/NOTES =================================================================== RCS file: /export/ncvs/src/sys/i386/conf/NOTES,v retrieving revision 1.961 diff -u -r1.961 NOTES --- sys/i386/conf/NOTES 2001/09/29 22:31:57 1.961 +++ sys/i386/conf/NOTES 2001/10/04 08:07:51 @@ -106,6 +106,10 @@ # options ROOTDEVNAME=\"ufs:da0s2e\" +# This prevents KLDs from being loaded at all. For those who want the +# added security but cannot run at an elevated securelevel(8). +#options NO_KLD + ##################################################################### # SMP OPTIONS: Index: sys/kern/kern_linker.c =================================================================== RCS file: /export/ncvs/src/sys/kern/kern_linker.c,v retrieving revision 1.69 diff -u -r1.69 kern_linker.c --- sys/kern/kern_linker.c 2001/09/12 08:37:44 1.69 +++ sys/kern/kern_linker.c 2001/10/04 07:47:05 @@ -27,6 +27,7 @@ */ #include "opt_ddb.h" +#include "opt_kern_linker.h" #include #include @@ -685,6 +686,10 @@ int kldload(struct thread* td, struct kldload_args* uap) { +#ifdef NO_KLD + /* Always fail */ + return EPERM; +#else char *kldname, *modname; char *pathname = NULL; linker_file_t lf; @@ -727,6 +732,7 @@ free(pathname, M_TEMP); mtx_unlock(&Giant); return (error); +#endif } /* @@ -735,6 +741,10 @@ int kldunload(struct thread* td, struct kldunload_args* uap) { +#ifdef NO_KLD + /* Always fail */ + return EPERM; +#else linker_file_t lf; int error = 0; @@ -764,6 +774,7 @@ out: mtx_unlock(&Giant); return (error); +#endif } /* --h31gzZEtNLTqOjlF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message