On Wed, 24 Feb 2010, Robert Bonomi wrote:
I'm building custom kernels for use in 'hostile' environments -- where I need to enforce "restricted" capabilities, even in the event of malicious 'root' access. (if the bad guy has *physical* access to the machine, I know I'm toast, so I don't try to protect against _that_ in software -- beyond the usual access-control mechnisms, that is.) To accomplish this, I need to (among other things) *completely* disable kernel 'loadable module' functionality. Building the required monolithic kernel is no problem, and by booting from _physical_ read-only media, I can protect against bootloader/kernel/application substitution. I just need to make it "impossible" to add modules to the running system.
I don't see how this is really bullet-proof possible. Anyone with root access can edit loader.conf and force a reboot --- or wait until a power interuption or something causes a reboot. You pretty much have to be able to reboot the machine, soo... It seems to me you could replace kldload (the command, not the system call) with a dummy script which would raise the bar a bit. You could remove (I think) the modules you are afraid of, but someone with root priviledges could replace them with trojans. -- Lars Eighner http://www.larseighner.com/index.html 8800 N IH35 APT 1191 AUSTIN TX 78753-5266 _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
