On Sat, 16 Oct 2010, David Holland wrote:
On Sat, Oct 16, 2010 at 05:07:30AM -0700, Paul Goyette wrote:
> autoload/autounload does NOT perform any authorization checks -
> please look at the code! No checking of securelevel occurs, as far
> as I can see. For autoload, the module name must not contain a
> '/', so if the module is being loaded from the file system it must
> be loaded from the "blessed" /stand/${ARCH}/${VERSION}/modules
> directory. Including the INSECURE option will have no effect on
> autoloading of modules.
If this is true it makes securelevel useless; all you need to do is
put a hostile module in the right place and cause it to be autoloaded.
(Remember the point of securelevel is that even root can't lower it.)
John Nemeth has already pointed out that my reading of the code was flawed. Module autoloading _does_ call kauth for authorization. The kauth listener provided by the module subsystem returns ALLOW for all autoload calls, but this gets overridden by another kauth listener, so autoload still gets denied.
It should be sufficient, I think, to check at boot time that any module that can be autoloaded is marked immutable.
And also make the "blessed" directory itself immutable? :) ------------------------------------------------------------------------- | Paul Goyette | PGP Key fingerprint: | E-mail addresses: | | Customer Service | FA29 0E3B 35AF E8AE 6651 | paul at whooppee.com | | Network Engineer | 0786 F758 55DE 53BA 7731 | pgoyette at juniper.net | | Kernel Developer | | pgoyette at netbsd.org | -------------------------------------------------------------------------