Date: Wed, 24 Feb 2010 17:38:45 -0600 (CST) From: Lars Eighner <luvbeastie@larseighner.com> To: Robert Bonomi <bonomi@mail.r-bonomi.com> Cc: questions@freebsd.org Subject: Re: how to disable loadable kernel moduels? Message-ID: <20100224173838.Y78021@qroenaqrq.6qbyyneqvnyhc.pbz> In-Reply-To: <201002242247.o1OMlPov010540@mail.r-bonomi.com> References: <201002242247.o1OMlPov010540@mail.r-bonomi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 24 Feb 2010, Robert Bonomi wrote: > > > I'm building custom kernels for use in 'hostile' environments -- where I > need to enforce "restricted" capabilities, even in the event of malicious > 'root' access. (if the bad guy has *physical* access to the machine, I > know I'm toast, so I don't try to protect against _that_ in software -- > beyond the usual access-control mechnisms, that is.) > > To accomplish this, I need to (among other things) *completely* disable > kernel 'loadable module' functionality. Building the required monolithic > kernel is no problem, and by booting from _physical_ read-only media, I > can protect against bootloader/kernel/application substitution. I just > need to make it "impossible" to add modules to the running system. I don't see how this is really bullet-proof possible. Anyone with root access can edit loader.conf and force a reboot --- or wait until a power interuption or something causes a reboot. You pretty much have to be able to reboot the machine, soo... It seems to me you could replace kldload (the command, not the system call) with a dummy script which would raise the bar a bit. You could remove (I think) the modules you are afraid of, but someone with root priviledges could replace them with trojans. -- Lars Eighner http://www.larseighner.com/index.html 8800 N IH35 APT 1191 AUSTIN TX 78753-5266
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100224173838.Y78021>