From owner-freebsd-questions@FreeBSD.ORG Thu Feb 25 02:49:38 2010 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 959921065670 for ; Thu, 25 Feb 2010 02:49:38 +0000 (UTC) (envelope-from bonomi@mail.r-bonomi.com) Received: from mail.r-bonomi.com (ns2.r-bonomi.com [204.87.227.129]) by mx1.freebsd.org (Postfix) with ESMTP id 4E77A8FC19 for ; Thu, 25 Feb 2010 02:49:37 +0000 (UTC) Received: (from bonomi@localhost) by mail.r-bonomi.com (8.14.3/rdb1) id o1P2nT9r012045; Wed, 24 Feb 2010 20:49:29 -0600 (CST) Date: Wed, 24 Feb 2010 20:49:29 -0600 (CST) From: Robert Bonomi Message-Id: <201002250249.o1P2nT9r012045@mail.r-bonomi.com> To: luvbeastie@larseighner.com Cc: questions@freebsd.org Subject: Re: how to disable loadable kernel moduels? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Feb 2010 02:49:38 -0000 > From owner-freebsd-questions@freebsd.org Wed Feb 24 18:04:25 2010 > Date: Wed, 24 Feb 2010 17:38:45 -0600 (CST) > From: Lars Eighner > To: Robert Bonomi > Cc: questions@freebsd.org > Subject: Re: how to disable loadable kernel moduels? > > On Wed, 24 Feb 2010, Robert Bonomi wrote: > > > I'm building custom kernels for use in 'hostile' environments -- where I > > need to enforce "restricted" capabilities, even in the event of malicious > > 'root' access. (if the bad guy has *physical* access to the machine, I > > know I'm toast, so I don't try to protect against _that_ in software -- > > beyond the usual access-control mechnisms, that is.) > > > > To accomplish this, I need to (among other things) *completely* disable > > kernel 'loadable module' functionality. Building the required monolithic > > kernel is no problem, and by booting from _physical_ read-only media, I > > can protect against bootloader/kernel/application substitution. I just > > need to make it "impossible" to add modules to the running system. > > I don't see how this is really bullet-proof possible. Anyone with root > access can edit loader.conf and force a reboot --- or wait until a power > interuption or something causes a reboot. You're not thinking 'creatively' enough. superuser access _doesn't_ help if things like 'loader.conf' are on _read-only_ media. Not just a mount switch, but -hardware- enforced. Many SCSI disks have a 'write-protect' jumper on them. The _only_ way to defeat =that= requires physical access to the machine. > You pretty much have to be able > to reboot the machine, soo... > > It seems to me you could replace kldload (the command, not the system call) > with a dummy script which would raise the bar a bit. You could remove (I > think) the modules you are afraid of, but someone with root priviledges > could replace them with trojans. I *can* ensure a 'trusted' software platform at boot time. I _can't_ ensure that there are no bugs/points of attack. But I can make 'life difficult' for the bad actor that does find an exploit. Protecting 'critical resources' against someone who gains enough access to import his own tools (say his _own_copy_ of kldload) is the threat level I'm looking at. I _want_ the bad guy to waste his time trying things that "don't work", and that may set off alarms. Much better chances of catching the perp 'in the act' when he doesn't know that he's triggered something.