Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 9 Sep 2001 00:30:11 +0300
From:      Giorgos Keramidas <charon@labs.gr>
To:        Alexander Langer <alex@big.endian.de>
Cc:        D J Hawkey Jr <hawkeyd@visi.com>, deepak@ai.net, freebsd-security@freebsd.org
Subject:   Re: Kernel-loadable Root Kits
Message-ID:  <20010909003011.B6949@hades.hell.gr>
In-Reply-To: <20010908203935.B54535@fump.kawo2.rwth-aachen.de>; from alex@big.endian.de on Sat, Sep 08, 2001 at 08:39:35PM %2B0200
References:  <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> <20010908181537.A840@ringworld.oblivion.bg> <20010908102816.B77764@sheol.localdomain> <20010908183728.D840@ringworld.oblivion.bg> <20010908105308.A78138@sheol.localdomain> <20010908203935.B54535@fump.kawo2.rwth-aachen.de>
next in thread | previous in thread | raw e-mail | index | archive | help 
From: Alexander Langer <alex@big.endian.de>
Subject: Re: Kernel-loadable Root Kits
Date: Sat, Sep 08, 2001 at 08:39:35PM +0200

> Thus spake D J Hawkey Jr (hawkeyd@visi.com):
> 
> > Ah. Well then, as I wrote to Kris, the kernel has to deny KLD loading
> > altogether, it should be a build-time option, and it should have nothing
> > to over-ride this.
> > Or am I still being too simplistic? I haven't been using KLD- or LKM-
> 
> You'd have to remove the whole kld code then, including all
> linker_file stuff.
> 
> And, given that, you can still use /dev/mem to manipulate the kernel.

Simple fix to all this is: sysctl kern.securelevel=1.

The manpage (and the code of both kldload() syscall and
linker_load_file()) explains it clearly:

     % man 8 init

     1     Secure mode - the system immutable and system append-only flags may
           not be turned off; disks for mounted filesystems, /dev/mem, and
           /dev/kmem may not be opened for writing; kernel modules (see
           kld(4)) may not be loaded or unloaded.

So, on securelevels >=1 neither modules can be loaded, nor /dev/mem
and /dev/kmem tampered with.

Guys, this has a simple and elegant solution.  Raise your securelevel,
if you are worried so much.  You don't have to do some special
kernel-hacker magic.

-giorgos


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010909003011.B6949>