New for Linux 2.6.31 (and Ubuntu 9.10) is the ability to throw a one-way toggle to block module loading via /proc/sys/kernel/modules_disabled
:
# uname -a
Linux sec-karmic-amd64 2.6.31-4-generic #23-Ubuntu SMP Mon Jul 27 18:39:59 UTC 2009 x86_64 GNU/Linux
# lsmod | head -n3
Module Size Used by
binfmt_misc 10220 1
ppdev 8200 0
# cat /proc/sys/kernel/modules_disabled
0
# modprobe usb-storage
# lsmod | head -n3
Module Size Used by
usb_storage 65600 0
binfmt_misc 10220 1
# echo 1 > /proc/sys/kernel/modules_disabled
# rmmod usb-storage
ERROR: Removing 'usb_storage': Operation not permitted
# modprobe zlib_deflate
FATAL: Error inserting zlib_deflate (/lib/modules/2.6.31-4-generic/kernel/lib/zlib_deflate/zlib_deflate.ko): Operation not permitted
# echo 0 > /proc/sys/kernel/modules_disabled
bash: echo: write error: Invalid argument
# cat /proc/sys/kernel/modules_disabled
1
The intent is for this to allow paranoid server admins (or other people not expecting to hot-plug new hardware or kernel services) the ability to block module loading without compiling a monolithic kernel.
This kind of thing used to be available through the “lcap” utility modifying the global capability bounding set (which was removed in 2.6.25), but init could always be made to turn it back on.
Combined with the removal of /dev/kmem and the hardening of /dev/mem, this closes another kernel rootkit door. It’s not a cure-all, but it’s another layer.
Now we just have to figure out ways to stamp out unexpected ioport-triggered DMA access.
© 2009, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
BTW, to temporarily disable automatic module loading, you can do: “echo /bin/false > /proc/sys/kernel/modprobe”. When you want it back, restore it: “echo /sbin/modprobe > /proc/sys/kernel/modprobe”.
Comment by kees — February 11, 2011 @ 2:27 pm
[…] (not currently possible with upstream), build a monolithic kernel (no modules), or otherwise block (un)loading of modules […]
Pingback by security things in Linux v4.4 « codeblog — September 27, 2016 @ 2:47 pm
[…] (not currently possible with upstream), build a monolithic kernel (no modules), or otherwise block (un)loading of modules […]
Pingback by security things in Linux v4.5 « codeblog — September 29, 2016 @ 12:43 pm