[ On Tue, October 6, 1998 at 01:02:02 (-0600), Warner Losh wrote: ]
> Subject: Re: chroot(2) 
>
> The whole point of chroot is to make it possible to have a sandbox
> that can do whatever it wants w/o impacting the running of a system,
> within some well known limits.  Loading an LKM impacts the entire
> system, by definition.

The whole concept of LKMs don't fit very well into the Unix security
model (and of course I mean "security" in all its senses).  They are an
interesting facility, but I don't think they're necessary in your
"average" system, and they're definitely "bad" after the system has
entered a "stable" level of operation.  Since LKMs are in fact not
loadable after the system enters a securelevel > 0, I'd argue that it's
not necessary to do anything special to stop LKMs from being loaded by
chroot'ed processes.

(I note that the documentation surrounding the LKM facility does not
talk about whether or not the system securelevel comes into effect,
though luckily it does in the code! ;-)

(The only really good documentation on securelevel seems to appear in
the <sys/systm.h> header (which is a rather strange place for it given
no other variables declared therein are documented in such detail there)
and in init(8), and LKM's are not mentioned in either place....)

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>      <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>