Add option to restrict the module auto-loading to CAP_SYS_ADMIN. This is heavily inspired by CONFIG_GRKERNSEC_MODHARDEN of the latest available Grsecurity patches [1]. Instead of checking whether the callers' UID is 0, check whether the calling process has CAP_SYS_ADMIN. The reasoning here is that many modules are autoloaded by systemd services which are running as privileged users, but do not have UID 0. While systemd-udevd runs as root, systemd-network (which often auto-loads a module) for example runs as system user (UID range 6 to 999).
When enabled, reduces attack surface where unprivileged users can trigger vulnerable module to be auto-loaded, to then exploit it. Recent LPEs (CopyFail [3], DirtyFrag [4]) for example, would have been mitigated with this option enabled as long as the vulnerable modules are not built-in (or already loaded at the point of running the exploit). [1] - https://github.com/minipli/linux-unofficial_grsec/blob/linux-4.9.x-unofficial_grsec/kernel/kmod.c#L153 [2] - https://systemd.io/UIDS-GIDS/ [3] - https://github.com/theori-io/copy-fail-CVE-2026-31431 [4] - https://github.com/V4bel/dirtyfrag Signed-off-by: Michal Gorlas <[email protected]> --- Michal Gorlas (2): module: add CONFIG_MODULE_RESTRICT_AUTOLOAD module: restrict autoload to CAP_SYS_ADMIN if CONFIG_MODULE_RESTRICT_AUTOLOAD Documentation/admin-guide/kernel-parameters.txt | 5 +++++ kernel/module/Kconfig | 15 +++++++++++++++ kernel/module/internal.h | 1 + kernel/module/kmod.c | 5 +++++ kernel/module/main.c | 11 +++++++++++ 5 files changed, 37 insertions(+) --- base-commit: 663385f9155f27892a97a5824006f806a32eb8dc change-id: 20260515-autoload_restrict-cfa6727c4d72 Best regards, -- Michal Gorlas <[email protected]>
