2

Once upon a time (before kernel 2.6.25), one could use /proc/sys/kernel/cap-bound to drop CAP_SYS_MODULE system-wide, and be assured that the set of code that was presently loaded into kernel space was all there would ever be, absent exploits or rebooting.

Then it was decided that CAP_NET_ADMIN would be allowed to load kernel modules even without CAP_SYS_MODULE(!), and the value of CAP_SYS_MODULE came to a close -- grepping through a modern kernel, I find no runtime checks for CAP_SYS_MODULE to still exist.

What's the modern replacement?

Improve this question

1 Answer 1

Reset to default
2

Kees Cook implemented a sysctl to fill this need in early 2009. As documented in Documentation/sysctl/kernel.txt:

modules_disabled:

A toggle value indicating if modules are allowed to be loaded in an otherwise modular kernel. This toggle defaults to off (0), but can be set true (1). Once true, modules can be neither loaded nor unloaded, and the toggle cannot be set back to false. Generally used with the "kexec_load_disabled" toggle.

As mentioned, this should be used with kexec_load_disabled if the goal is to control which code is active in kernelspace:

kexec_load_disabled:

A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.