> > Not allowing module loads is reasonable, actually. That does NOT change the
> > fact that no module should access "securelevel", which is the original problem.
>
> Yes. Allowing module loads has to be blocked by securelevel
This would make the use of kerneld impossible. I suggest to
- Mark the modules immuteable using the immutable file attribute.
- Allow only loading of modules owned by root and marked immutable.
- Loading of modules from filesystems that don't support the immutable
attribute is forbidden. This prevents the (ab)use of certain filesystem
like NFS etc.
- A mechanism that allows to limit loading of modules to certain programs:
In case of kerneld require that it's inode is also immuteable and
owned by root or kerneld must have been started before the securelevel
was raised.
I think this policy for the loading of modules should be acceptable from
both point of security and useability of modules.
Ralf