aboutsummaryrefslogtreecommitdiffstats
path: root/Documentation/sysctl/kernel.txt
diff options
context:
space:
mode:
authorKees Cook <kees@ubuntu.com>2009-04-02 18:49:29 -0400
committerJames Morris <jmorris@namei.org>2009-04-02 20:47:11 -0400
commit3d43321b7015387cfebbe26436d0e9d299162ea1 (patch)
treebae6bd123c8f573e844a7af11c96eb5f6a73e0ee /Documentation/sysctl/kernel.txt
parent8a6f83afd0c5355db6d11394a798e94950306239 (diff)
modules: sysctl to block module loading
Implement a sysctl file that disables module-loading system-wide since there is no longer a viable way to remove CAP_SYS_MODULE after the system bounding capability set was removed in 2.6.25. Value can only be set to "1", and is tested only if standard capability checks allow CAP_SYS_MODULE. Given existing /dev/mem protections, this should allow administrators a one-way method to block module loading after initial boot-time module loading has finished. Signed-off-by: Kees Cook <kees.cook@canonical.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'Documentation/sysctl/kernel.txt')
-rw-r--r--Documentation/sysctl/kernel.txt11
1 files changed, 11 insertions, 0 deletions
diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
index a4ccdd1981cf..02b134956273 100644
--- a/Documentation/sysctl/kernel.txt
+++ b/Documentation/sysctl/kernel.txt
@@ -30,6 +30,7 @@ show up in /proc/sys/kernel:
30- kstack_depth_to_print [ X86 only ] 30- kstack_depth_to_print [ X86 only ]
31- l2cr [ PPC only ] 31- l2cr [ PPC only ]
32- modprobe ==> Documentation/debugging-modules.txt 32- modprobe ==> Documentation/debugging-modules.txt
33- modules_disabled
33- msgmax 34- msgmax
34- msgmnb 35- msgmnb
35- msgmni 36- msgmni
@@ -179,6 +180,16 @@ kernel stack.
179 180
180============================================================== 181==============================================================
181 182
183modules_disabled:
184
185A toggle value indicating if modules are allowed to be loaded
186in an otherwise modular kernel. This toggle defaults to off
187(0), but can be set true (1). Once true, modules can be
188neither loaded nor unloaded, and the toggle cannot be set back
189to false.
190
191==============================================================
192
182osrelease, ostype & version: 193osrelease, ostype & version:
183 194
184# cat osrelease 195# cat osrelease