disable_modules
Posted: Tue Aug 01, 2006 2:50 amhello,
there is a nice feature /proc/sys/kernel/grsecurity/disable_modules, which prevents any module inserting/removing at runtime.
but turning it on prevents disabling it even if there is "0" in grsec_lock
can this feature be somehow temporarily disabled(for inserting a newly compiled module without reboot)?
it could be done with keeping 0 in disable_modules and using ACL, prevent execution of modproble/insmod/rmmod commands. but i'm not sure if it is sufficient. are there other ways for module manipulation and can they be prevented, keeping the ability of temporarily allowing them?
there is a nice feature /proc/sys/kernel/grsecurity/disable_modules, which prevents any module inserting/removing at runtime.
but turning it on prevents disabling it even if there is "0" in grsec_lock
can this feature be somehow temporarily disabled(for inserting a newly compiled module without reboot)?
it could be done with keeping 0 in disable_modules and using ACL, prevent execution of modproble/insmod/rmmod commands. but i'm not sure if it is sufficient. are there other ways for module manipulation and can they be prevented, keeping the ability of temporarily allowing them?