> > Not to jump in or anything, but...
> > How about a small kernel function to return the current securelevel value?
> > int get_securelevel();
> > Then export THAT to modules.
>
> I must be missing something here... if you really want to attack the
> kernel you are running in you could always take the address of
> get_securelevel(), follow it to see where the "mov" reads from, and then
> write to that location.
>
> Protecting the kernel against each module would cause a lot of unnecessary
> overhead. Is there any good reason why modules should not be "trusted"
> code?
I can't see any reason why modules can't be trusted code, and I've assumed
them to be so for doing the POSIX.6 stuff - this requires having the
sys_insmod/sys_rmmod privs to get the code into the kernel.
Even in a non POSIX.6 system you need to be root to stuff module code into
the kernel - an if you are root you can just as easily rebuild a bogus
kernel.
The only time I can see it being a problem is if you get a binary only
module - then it is upto the systems security officer to make the judgment
of it can be installed into the system.
Basically I think that modules should be part of the TCB.
What might be nice however is if securelevel could be raised only....
-- Darren J Moffat