Re: Sealing the kernel

John Langford (l_k_account@gs176.sp.cs.cmu.edu)
Wed, 27 Oct 1999 21:23:20 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Kanoj Sarcar: "[PATCH] 2.3.23 patch to fix SMP kernel hang on UP machines"
Previous message: CompWiz: "Kernel 2.2.14pre2 won't compile w/ipforward err"

> If it is _that_ important, a few Kb in resident drivers, etc is not a big
> deal. Just disable module loading for good, close reading/writing of
> /dev/mem, etc. That is _much_ easier to do than the mentioned idea, and

This is what the 'seal.o' module does right now. I certainly agree that
it is much easier than creating a semi-permeable version of seal.

> even has some chance of getting audited properly.

However, I don't agree that it fully solves the problem I want to solve.
There are too many subsystems which rely _fundamentally_ on modules -
pcmcia is an example. In addition, making security easier to use
generally increases it's use.

I think there just doesn't exist an elegant way to make 'seal.o'
selectively porous to preselected modules. It's logically possible using
md5, but not mechanically possible because of the relocation which occurs
in user space. For anyone with ideas: I'm all ears.

-John

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Kanoj Sarcar: "[PATCH] 2.3.23 patch to fix SMP kernel hang on UP machines"
Previous message: CompWiz: "Kernel 2.2.14pre2 won't compile w/ipforward err"