grsecurity forums

[dystopia]

There are some kernel modules which hide processes for root from ps aux. Knark for example. What could a kernel module do against GrSecurity in theory? Could it disable the ACL system? I'm pretty much initerested in if and how much the ACL system can prevent this intrusion.

[spender]

There's two features of grsecurity that prevent modification of the kernel via /dev/mem and /dev/kmem. This is independent of the ACL system. If you have module support disabled, then you've got the three generic methods covered. If you need module support, you should use the ACL system, as it protects against loading rogue modules by default, and enforces this.

-Brad

[dystopia]

There's two features of grsecurity that prevent modification of the kernel via /dev/mem and /dev/kmem. This is independent of the ACL system. If you have module support disabled, then you've got the three generic methods covered. If you need module support, you should use the ACL system, as it protects against loading rogue modules by default, and enforces this.

Thanks for the answers.

Solution to make no modules won't be a solution in 2.6.x i assume because i heard it only will be able to use modules then.

Won't the protection against rogue modules break a FreeS/WAN module (for example)?

[spender]

you can load the modules before the ACL system is loaded (shouldn't be a security risk as /etc is protected while the ACL system is running...assuming you keep it enabled the whole time the system is on), or you can grant specific applications permission to load modules, and by your object permissions, which ones they can load (though there's not a mode that specifies that it's allowed to be used as an LKM), or you can insert it within admin mode.

-Brad