From owner-freebsd-questions@FreeBSD.ORG Wed Feb 24 23:00:32 2010 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5684B106564A for ; Wed, 24 Feb 2010 23:00:32 +0000 (UTC) (envelope-from bonomi@mail.r-bonomi.com) Received: from mail.r-bonomi.com (ns2.r-bonomi.com [204.87.227.129]) by mx1.freebsd.org (Postfix) with ESMTP id 2D8788FC0C for ; Wed, 24 Feb 2010 23:00:31 +0000 (UTC) Received: (from bonomi@localhost) by mail.r-bonomi.com (8.14.3/rdb1) id o1OMlPov010540; Wed, 24 Feb 2010 16:47:25 -0600 (CST) Date: Wed, 24 Feb 2010 16:47:25 -0600 (CST) From: Robert Bonomi Message-Id: <201002242247.o1OMlPov010540@mail.r-bonomi.com> To: questions@freebsd.org Cc: Subject: how to disable loadable kernel moduels? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Feb 2010 23:00:32 -0000 I'm building custom kernels for use in 'hostile' environments -- where I need to enforce "restricted" capabilities, even in the event of malicious 'root' access. (if the bad guy has *physical* access to the machine, I know I'm toast, so I don't try to protect against _that_ in software -- beyond the usual access-control mechnisms, that is.) To accomplish this, I need to (among other things) *completely* disable kernel 'loadable module' functionality. Building the required monolithic kernel is no problem, and by booting from _physical_ read-only media, I can protect against bootloader/kernel/application substitution. I just need to make it "impossible" to add modules to the running system. I don't see anything in the kernel configuration file options (e.g., something like an 'options NO_MODULES') that would do this 'painlessly', so I'm looking at the 'brute force' solution of actually modifying the kernel code myself. Can somebody point me towrads the source module(s) that contain the syscall 'dispatch' code and/or the loadable module implementation. I'm looking to either disable the kernel function ENTIRELY, *or* (in the spirit of 'making life difficult for the bad guys') letting it do everything it normally does, *except* actually installing the module _functionality_ -- i.e., kldload executes w/o error, kldstat shows that the module "is" loaded, etc.; but any attempt to _use_ the functionality therein is a no-op. Peripherally related, is there tutorial/reference, anywhere, on how the kernel configuration/build process _works_? _NOT_ a "how to make a custom kernel", but the _mechnics_ of "what goes on behinds the scenes" during 'config' execution. e.g. stuff like where 'options {foo}' etc. is defined, what files it causes to be included, what symbols it 'defines', and what must be (conditionally) re-compiled when it is present, or it's value is changed.