Add CONFIG_MODULE_RESTRICT_AUTOLOAD and modrestrict parameter documentation.
Signed-off-by: Michal Gorlas <[email protected]> --- Documentation/admin-guide/kernel-parameters.txt | 5 +++++ kernel/module/Kconfig | 15 +++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 03a550630644..1013104f0943 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -4185,6 +4185,11 @@ Kernel parameters For details see: Documentation/admin-guide/hw-vuln/processor_mmio_stale_data.rst + modrestrict=<bool> + Control the restriction of module auto-loading to + CAP_SYS_ADMIN. If no <bool> value is specified, this + is set to the value of CONFIG_MODULE_RESTRICT_AUTOLOAD. + <module>.async_probe[=<bool>] [KNL] If no <bool> value is specified or if the value specified is not a valid <bool>, enable asynchronous diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig index 43b1bb01fd27..c9e01bb848c0 100644 --- a/kernel/module/Kconfig +++ b/kernel/module/Kconfig @@ -337,6 +337,21 @@ config MODULE_SIG_HASH endif # MODULE_SIG || IMA_APPRAISE_MODSIG +config MODULE_RESTRICT_AUTOLOAD + bool "Restrict module auto-loading to privileged users" + default n + help + Restrict module auto-loading in response to use of some feature + implemented by an unloaded module to CAP_SYS_ADMIN. Enabling this + option helps reducing the attack surface where unprivileged users + can abuse auto-loading to cause a vulnerable module to load that is + then exploited. + + Note that this option also prevents a benign use of auto-loading for + a non-root users. Thus if enabled, the root user should execute + modprobe manually if needed, or add the module to the list of modules + loaded at the boot by modifying init scripts. + config MODULE_COMPRESS bool "Module compression" help -- 2.54.0
