Re: kernel module loading vs securelevel

To: Paul Goyette <paul%whooppee.com@localhost>
Subject: Re: kernel module loading vs securelevel
From: David Holland <dholland-tech%netbsd.org@localhost>
Date: Sat, 16 Oct 2010 18:59:44 +0000

On Sat, Oct 16, 2010 at 05:07:30AM -0700, Paul Goyette wrote:
 > autoload/autounload does NOT perform any authorization checks -
 > please look at the code!  No checking of securelevel occurs, as far
 > as I can see.  For autoload, the module name must not contain a
 > '/', so if the module is being loaded from the file system it must
 > be loaded from the "blessed" /stand/${ARCH}/${VERSION}/modules
 > directory.  Including the INSECURE option will have no effect on
 > autoloading of modules.

If this is true it makes securelevel useless; all you need to do is
put a hostile module in the right place and cause it to be autoloaded.
(Remember the point of securelevel is that even root can't lower it.)

It should be sufficient, I think, to check at boot time that any
module that can be autoloaded is marked immutable.

-- 
David A. Holland
dholland%netbsd.org@localhost

Follow-Ups:
- Re: kernel module loading vs securelevel
  - From: Paul Goyette

References:
- Re: kernel module loading vs securelevel
  - From: Izumi Tsutsui
- Re: kernel module loading vs securelevel
  - From: Paul Goyette

Prev by Date: Re: kernel module loading vs securelevel
Next by Date: Re: kernel module loading vs securelevel
Previous by Thread: Re: kernel module loading vs securelevel
Next by Thread: Re: kernel module loading vs securelevel
Indexes:

Home | Main Index | Thread Index | Old Index