[unisog] HXD

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Sat Feb 12 03:16:53 GMT 2005


On Fri, 11 Feb 2005 18:25:38 CST, Sean Kelly said:

> In theory, you could design a Linux kernel module that would prevent any
> further modules from being loaded through the standard system calls. Just
> write a module that wraps around the create_module() and init_module()
> system calls and returns EPERM or something. You'd still have the
> possibility of somebody playing around with /dev/mem or /dev/kmem, but
> there is a slim chance of that happening.

In the 2.6 kernel, you don't even need to put a wrapper around create_module()
and friends.  The LSM (Linux Security Modules) framework provides a hook
for capable(), just rejecting calls for CAP_SYS_MODULE after you're done booting
will be sufficient.  You'd really want to include code for a one-shot toggle
in /proc or /sys someplace - if your kernel is built with module support at all,
you'll probably be doing some modprobe'ing on the way up.

You really need to assume that any attacker (or at least the black hat
who actually wrote the toolkit) who's clued enough to throw
a Linux kernel module at you has also read Phrack 58:

http://www.phrack.org/show.php?p=58&a=7

On how to do it even on a kernel that doesn't even have CONFIG_MODULE enabled.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050211/f28f2585/attachment-0002.bin


More information about the unisog mailing list