Question about /dev/mem and /dev/kmem

From: Jim Nelson
Date: Sun Nov 28 2004 - 22:58:30 EST

Next message: Jeff Garzik: "Re: [RFC] Splitting kernel headers and deprecating __KERNEL__"
Previous message: Nigel Cunningham: "Re: Suspend 2 merge"
Next in thread: Matan Peled: "Re: Question about /dev/mem and /dev/kmem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I was looking at some articles about rootkits on monolithic kernels, and had a thought. Would a kernel config option to disable write access to /dev/mem and /dev/kmem be a workable idea?

I know it'll kill X (unless you're using the framebuffer X server), but would there be any other big problems? SELinux has a finer-grained control over those files, but also involves a bit of administrative and system overhead.

I see this as an option that could be used in routers, web servers, firewalls and other systems that have a greater risk of exposure to rootkits. Granted, it only makes sense with a monolithic kernel, but most people nowadays would only use monolithic kernels for security reasons. You could also put a couple of printk()'s in to raise alarms if someone does try to open the device file for writing.

Am I speaking ex rectum? Granted, I'm kinda new to this, but I can't see any reason not to offer the choice to someone compiling a kernel - and I think it could be done with a minimum of code bloat.

I offer this to the firing range ;)

Jim
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jeff Garzik: "Re: [RFC] Splitting kernel headers and deprecating __KERNEL__"
Previous message: Nigel Cunningham: "Re: Suspend 2 merge"
Next in thread: Matan Peled: "Re: Question about /dev/mem and /dev/kmem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]