tech-kern: Re: LKM's shouldn't be allowed to be loaded in multiuser mode.

Subject: Re: LKM's shouldn't be allowed to be loaded in multiuser mode.
To: None <tech-kern@NetBSD.ORG>
From: Jarle Fredrik Greipsland <Jarle.F.Greipsland@idt.unit.no>
List: tech-kern
Date: 03/21/1995 21:19:03

Just a few random thoughts concerning the loadable kernel modules:

First, I've assumed that systems can be categorized into two
categories, the ones that are used for development or explicitly
declared "insecure" by their admins, and the in-production systems
meant to be secure.

The first category doesn't really pose any problems, I should think,
as I'd expect them to run with securelevel set to -1 or whatever.

The second category are systems where, if I've understood you
correctly, noone should be able to load anything "unsuitable" into the
kernel or do other nasty things, even when running with uid=0
(i.e. the idea is to protect the kernel's integrity from everyone
while in multiuser mode).  This lead to not permitting the loading of
kernel modules after /etc/rc has been run.  Still, many think it would
be nice to be able to load seldomly used pieces of code at a later
time, i.e. when needed.  So, what I'm proposing is to give the kernel
the means to verify that a module is "approved" for use on a given
system.  This could be implemented with some sort of signatures, much
like Betsy-certificates for software packages.  The valid signatures
are loaded into the kernel either at compile time, i.e. all possible
loadable modules must be known at compile time, or at /etc/rc run
time, e.g. from an immutable file.  Thus it will require either a new
kernel (and a reboot), or single-user operation to add module
signatures to the system, but once in, the modules themselves can be
loaded on demand.  The problem of someone hacking root and loading
mischievous code into the kernel would then be solved, but the problem
of when to unload modules still remain....  Remove the modunload
funtionality perhaps?

Comments?

(Another question: How secure is really a system that's protected by
the "securelevel model"?  To me it seems that for the system to still
be secure through a couple of reboots you'd have to make a fair bit of
your userland "immutable", at least all programs used from /etc/rc*.
Isn't this a bit impractical, or does the security "stop" when a
reboot is encountered?  Hmm, security is always impractical, I guess
:-)

					-jarle
----
"Physics and Law Enforcement -- if it weren't for those two,
 I'd be unstoppable."
                		-- Dan Sorensen in alt.peeves