modules: sysctl to block module loading

Implement a sysctl file that disables module-loading system-wide since
there is no longer a viable way to remove CAP_SYS_MODULE after the system
bounding capability set was removed in 2.6.25.

Value can only be set to "1", and is tested only if standard capability
checks allow CAP_SYS_MODULE.  Given existing /dev/mem protections, this
should allow administrators a one-way method to block module loading
after initial boot-time module loading has finished.

Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>

1 files changed, 12 insertions, 0 deletions

diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index c5ef44ff850f..2fb4246d27de 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -113,6 +113,7 @@ static int ngroups_max = NGROUPS_MAX;
 
 #ifdef CONFIG_MODULES
 extern char modprobe_path[];
+extern int modules_disabled;
 #endif
 #ifdef CONFIG_CHR_DEV_SG
 extern int sg_big_buff;
@@ -533,6 +534,17 @@ static struct ctl_table kern_table[] = {
                 .proc_handler   = &proc_dostring,
                 .strategy       = &sysctl_string,
         },
+        {
+                .ctl_name       = CTL_UNNUMBERED,
+                .procname       = "modules_disabled",
+                .data           = &modules_disabled,
+                .maxlen         = sizeof(int),
+                .mode           = 0644,
+                /* only handle a transition from default "0" to "1" */
+                .proc_handler   = &proc_dointvec_minmax,
+                .extra1         = &one,
+                .extra2         = &one,
+        },
 #endif
 #if defined(CONFIG_HOTPLUG) && defined(CONFIG_NET)
         {