grsecurity forums

Skip to content

disable_modules

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

disable_modules

Postby salam » Tue Aug 01, 2006 2:50 am

hello,

there is a nice feature /proc/sys/kernel/grsecurity/disable_modules, which prevents any module inserting/removing at runtime.

but turning it on prevents disabling it even if there is "0" in grsec_lock
can this feature be somehow temporarily disabled(for inserting a newly compiled module without reboot)?

it could be done with keeping 0 in disable_modules and using ACL, prevent execution of modproble/insmod/rmmod commands. but i'm not sure if it is sufficient. are there other ways for module manipulation and can they be prevented, keeping the ability of temporarily allowing them?
salam
 
Posts: 27
Joined: Wed Jul 19, 2006 7:22 am
Top

Postby spender » Tue Aug 01, 2006 5:04 pm

What version of grsecurity are you using? This should have been fixed in the latest version.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top

Postby salam » Wed Aug 02, 2006 9:52 am

i'm using gentoo linux with kernel 2.6.16-hardened-r10 and gradm v2.1.9

and get this:
echo 0 > disable_modules
-su: echo: write error: Operation not permitted

while
grsec_lock is 0

###EDIT: perhaps disabling CAP_SYS_MODULE for every subject and role would help?
salam
 
Posts: 27
Joined: Wed Jul 19, 2006 7:22 am
Top
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group