> 
> > > There's a problem even with the lkm approach:
> > > 
> > > You only can load LKMs during single user mode.
> > 
> > Why is this?  I don't understand...
> 
> Because if you can load LKMs at a higher security level, those LKMs
> can then disable the security level checking.  (LKMs loaded at
> single-user mode, or from rc, can reasonably be considered 'trusted.')

I think this has been mentioned before (and is a slight subject drift),
but what about the idea of "Identifying" lkm's to the system from rc,
and then letting root load them later.

The idea would be to add a new option to modload (and whatever kernel
calls it makes). Basically rather than loading a module, the kernel looks
at the module, and generates some check info on the module. The check
info is kept, and the module dumped. Later, root can load the module.
If the checks are off, the load is rejected.

Some checks I had in mind were size, name, and something like an MD5
checksum. Though since the check results are not exported out of the
kernel, we can do whatever.

So why do this "Identify" thinkg rather than just load a module? Well,
you might have a couple of rodent modules, and only want to load the
one you're using (there could be name space conflicts). Or for other
modules, like rarely-used file systems, you don't want to tie down the
space all the time.

However I'm suggesting something I don't have the time right now to do. :-(

Take care,

Bill