commit 3d43321b7015387cfebbe26436d0e9d299162ea1
author Kees Cook <kees@ubuntu.com> Thu Apr 02 15:49:29 2009 -0700
committer James Morris <jmorris@namei.org> Fri Apr 03 11:47:11 2009 +1100
tree bae6bd123c8f573e844a7af11c96eb5f6a73e0ee
parent 8a6f83afd0c5355db6d11394a798e94950306239

modules: sysctl to block module loading

Implement a sysctl file that disables module-loading system-wide since
there is no longer a viable way to remove CAP_SYS_MODULE after the system
bounding capability set was removed in 2.6.25.

Value can only be set to "1", and is tested only if standard capability
checks allow CAP_SYS_MODULE.  Given existing /dev/mem protections, this
should allow administrators a one-way method to block module loading
after initial boot-time module loading has finished.

Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>

kernel/module.c

diff --git a/kernel/module.c b/kernel/module.c
index f77ac32..eeb3f7b 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -778,6 +778,9 @@
 	mutex_lock(&module_mutex);
 }
 
+/* Block module loading/unloading? */
+int modules_disabled = 0;
+
 SYSCALL_DEFINE2(delete_module, const char __user *, name_user,
 		unsigned int, flags)
 {
@@ -785,7 +788,7 @@
 	char name[MODULE_NAME_LEN];
 	int ret, forced = 0;
 
-	if (!capable(CAP_SYS_MODULE))
+	if (!capable(CAP_SYS_MODULE) || modules_disabled)
 		return -EPERM;
 
 	if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
@@ -2349,7 +2352,7 @@
 	int ret = 0;
 
 	/* Must have permission */
-	if (!capable(CAP_SYS_MODULE))
+	if (!capable(CAP_SYS_MODULE) || modules_disabled)
 		return -EPERM;
 
 	/* Only one module load at a time, please */