Hello again, I am disabling the ability to load and unload modules in my LSM. I am accomplishing this in the hook security_operations.capable, where I test the ( cap & CAP_SYS_MODULE ) condition. Once my LSM is in a certain state, then it cannot be reset to a less secure state, and module operations are disallowed in that state. Needless to say, this causes some serious breakage while trying to halt/reboot/shutdown the machine. One way to fix that would be to allow module operations once the user runs /sbin/halt, /sbin/reboot, or /sbin/shutdown. Of course, then we would have to worry about people running and immediately terminating the process just to reset the LSM. And this is also vulnerable to someone replacing one of these files with a trojan executable, so that is not an acceptable option. It seems that I would not be the only one interested in stopping root from unloading my LSM. In fact, any unprotected LSM could be trivially defeated with an rmmod. Yet module operations (at least those that check CAP_SYS_MODULE, like sys_init_module and sys_delete_module) seem to be necessary once the halting process has begun - at least under SuSE 8.1. How is this currently being addressed? Is there a flag set in the kernel that indicates that we are in ``shutdown'' mode? (Perhaps the init level can be used?) Is this whole issue heavily distro-dependent? I would love to have a hook in sys_delete_module, so I can specifically deal with requests to unload my LSM... Thanks, Mike -- ------------------------------------------- | --------------------- Michael Halcrow | mhalcrowat_private Developer, IBM Linux Technology Center | | A hacker does for love what others would | not do for money. | ------------------------------------------- | --------------------- GnuPG Keyprint: 05B5 08A8 713A 64C1 D35D 2371 2D3C FDDA 3EB6 601D
This archive was generated by hypermail 2b30 : Fri May 30 2003 - 11:51:28 PDT