Re: kernel module loading vs securelevel

[Masao Uebayashi <uebayasi%tombi.co.jp@localhost>]

On Sat, Oct 16, 2010 at 12:35:02PM +0900, Izumi Tsutsui wrote:
> >  > > It would seem to be intentional.  After all, kernel modules can
> >  > > do all sorts of nasty things if they want to.
> >  > 
> >  > In that case, module autoload/autounload is not functional at all and
> >  > we have to specify all possible necessary modules explicitly
> >  > during boot time??
> > 
> > Yes. Otherwise it's quite easy to defeat securelevel by causing the
> > loading of a module that resets it to -1.
> 
> Hmm, what do you think about this feature?
> Only available in INSECURE environment?

I'm with Tsutsui-san here.

We trust modules at the time when they're installed into the trusted
place, same as kernel itself.  I think prohibiting module load  at
run-time is rather pointless.

I think that the common belief that "kernel modules are evil because
they can do everything" comes from situations where vendors want to
restrict users' access to the system, e.g., Apple iPhone vs. jail break.
In those cases kernel modules are surely not good.  Usual NetBSD use
cases are different from those.

Masao

> 
> >> Working file: kern_module.c
> >> revision 1.26
> >> date: 2008/11/14 23:06:45;  author: ad;  state: Exp;  lines: +85 -3
> >> - If the system encounters a severe memory shortage, start unloading
> >>   unused kernel modules.
> >> - Try to unload any autoloaded kernel modules 10 seconds after their
> >>   load was successful.
> 
> ---
> Izumi Tsutsui

-- 
Masao Uebayashi / Tombi Inc. / Tel: +81-90-9141-4635