• Kees Cook's avatar
    modules: sysctl to block module loading · 3d43321b
    Kees Cook authored
    Implement a sysctl file that disables module-loading system-wide since
    there is no longer a viable way to remove CAP_SYS_MODULE after the system
    bounding capability set was removed in 2.6.25.
    Value can only be set to "1", and is tested only if standard capability
    checks allow CAP_SYS_MODULE.  Given existing /dev/mem protections, this
    should allow administrators a one-way method to block module loading
    after initial boot-time module loading has finished.
    Signed-off-by: default avatarKees Cook <kees.cook@canonical.com>
    Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
    Signed-off-by: default avatarJames Morris <jmorris@namei.org>
sysctl.c 73 KB