aboutsummaryrefslogtreecommitdiffstats
path: root/kernel/module.c
diff options
context:
space:
mode:
authorKees Cook <kees@ubuntu.com>2009-04-02 18:49:29 -0400
committerJames Morris <jmorris@namei.org>2009-04-02 20:47:11 -0400
commit3d43321b7015387cfebbe26436d0e9d299162ea1 (patch)
treebae6bd123c8f573e844a7af11c96eb5f6a73e0ee /kernel/module.c
parent8a6f83afd0c5355db6d11394a798e94950306239 (diff)
modules: sysctl to block module loading
Implement a sysctl file that disables module-loading system-wide since there is no longer a viable way to remove CAP_SYS_MODULE after the system bounding capability set was removed in 2.6.25. Value can only be set to "1", and is tested only if standard capability checks allow CAP_SYS_MODULE. Given existing /dev/mem protections, this should allow administrators a one-way method to block module loading after initial boot-time module loading has finished. Signed-off-by: Kees Cook <kees.cook@canonical.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'kernel/module.c')
-rw-r--r--kernel/module.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/kernel/module.c b/kernel/module.c
index f77ac320d0b..eeb3f7b1383 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -778,6 +778,9 @@ static void wait_for_zero_refcount(struct module *mod)
778 mutex_lock(&module_mutex); 778 mutex_lock(&module_mutex);
779} 779}
780 780
781/* Block module loading/unloading? */
782int modules_disabled = 0;
783
781SYSCALL_DEFINE2(delete_module, const char __user *, name_user, 784SYSCALL_DEFINE2(delete_module, const char __user *, name_user,
782 unsigned int, flags) 785 unsigned int, flags)
783{ 786{
@@ -785,7 +788,7 @@ SYSCALL_DEFINE2(delete_module, const char __user *, name_user,
785 char name[MODULE_NAME_LEN]; 788 char name[MODULE_NAME_LEN];
786 int ret, forced = 0; 789 int ret, forced = 0;
787 790
788 if (!capable(CAP_SYS_MODULE)) 791 if (!capable(CAP_SYS_MODULE) || modules_disabled)
789 return -EPERM; 792 return -EPERM;
790 793
791 if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0) 794 if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
@@ -2349,7 +2352,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod,
2349 int ret = 0; 2352 int ret = 0;
2350 2353
2351 /* Must have permission */ 2354 /* Must have permission */
2352 if (!capable(CAP_SYS_MODULE)) 2355 if (!capable(CAP_SYS_MODULE) || modules_disabled)
2353 return -EPERM; 2356 return -EPERM;
2354 2357
2355 /* Only one module load at a time, please */ 2358 /* Only one module load at a time, please */