* Michael Halcrow (mhalcrowat_private) wrote: > Hello again, > > I am disabling the ability to load and unload modules in my LSM. I am > accomplishing this in the hook security_operations.capable, where I > test the ( cap & CAP_SYS_MODULE ) condition. Once my LSM is in a > certain state, then it cannot be reset to a less secure state, and > module operations are disallowed in that state. You can trivially block your module by incrementing it's use count and not decrementing it. Of course, this means you can't unload it. You can also make sure you have a way to generate a trusted admin process that can safely do the shutdown. > Needless to say, this causes some serious breakage while trying to > halt/reboot/shutdown the machine. One way to fix that would be to > allow module operations once the user runs /sbin/halt, /sbin/reboot, > or /sbin/shutdown. Of course, then we would have to worry about > people running and immediately terminating the process just to reset > the LSM. And this is also vulnerable to someone replacing one of > these files with a trojan executable, so that is not an acceptable > option. All of this is true. It depends on the threat model the module is protecting against, and many prefer to compile the module statically into the kernel. > It seems that I would not be the only one interested in stopping > root from unloading my LSM. In fact, any unprotected LSM could be > trivially defeated with an rmmod. Yet module operations (at least > those that check CAP_SYS_MODULE, like sys_init_module and > sys_delete_module) seem to be necessary once the halting process has > begun - at least under SuSE 8.1. How is this currently being > addressed? Typically by still having _some_ administrative/privileged task around that can do what is necessary to safely shutdown. > Is there a flag set in the kernel that indicates that we are in > ``shutdown'' mode? (Perhaps the init level can be used?) Is this > whole issue heavily distro-dependent? Yes there is, but it's set after the LSM hook looks at reboot. > I would love to have a hook in sys_delete_module, so I can > specifically deal with requests to unload my LSM... Heh, we used to have one, but removed it as it was too similar to the capability check that's already there, and the hook was rejected when we submitted it to the mainline. thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri May 30 2003 - 12:08:04 PDT