Re: kernel module loading vs securelevel

To: Izumi Tsutsui <tsutsui%ceres.dti.ne.jp@localhost>
Subject: Re: kernel module loading vs securelevel
From: Paul Goyette <paul%whooppee.com@localhost>
Date: Fri, 15 Oct 2010 20:50:25 -0700 (PDT)

If I remember correctly, autoload bypasses the authorization callswithin the module subsystem. Autoload also works ONLY for modules thatare either built-in, passed by the bootloader, or located in the"official" directory; autoloading from the filesystem is prohibited ifthe pathname contains any '/'.




On Sat, 16 Oct 2010, Izumi Tsutsui wrote:

XXX: module files can be loaded only on single user?


It looks kernel modules can't be loaded on multi user,
i.e. if kernel securelevel is 1, unless options INSECURE is specified.

i386 has options INSECURE by default so it just works,
but is it intended feature?


It would seem to be intentional.  After all, kernel modules can
do all sorts of nasty things if they want to.


In that case, module autoload/autounload is not functional at all and
we have to specify all possible necessary modules explicitly
during boot time??

---
Izumi Tsutsui

!DSPAM:4cb91b7e2433872420069!


-------------------------------------------------------------------------
| Paul Goyette     | PGP Key fingerprint:     | E-mail addresses:       |
| Customer Service | FA29 0E3B 35AF E8AE 6651 | paul at whooppee.com    |
| Network Engineer | 0786 F758 55DE 53BA 7731 | pgoyette at juniper.net |
| Kernel Developer |                          | pgoyette at netbsd.org  |
-------------------------------------------------------------------------

References:
- Re: kernel module loading vs securelevel
  - From: Izumi Tsutsui

Prev by Date: Re: kernel module loading vs securelevel
Next by Date: Re: acpivga(4) v. MI display controls
Previous by Thread: Re: kernel module loading vs securelevel
Next by Thread: Re: How to make module autoloading play nice with securelevel
Indexes:

Home | Main Index | Thread Index | Old Index