Re: another kconfig target for building monolithic kernel (for security) ?
From: Nix
Date: Sun Apr 30 2006 - 06:58:05 EST
On 29 Apr 2006, Arjan van de Ven prattled cheerily:
> On Sat, 2006-04-29 at 12:43 -0400, Dave Jones wrote:
>> On Sat, Apr 29, 2006 at 03:03:55PM +0200, devzero@xxxxxx wrote:
>>
>> > i want to harden a linux system (dedicated root server on the internet) by recompiling the kernel without support for lkm (to prevent installation of lkm based rootkits etc)
>>
>> Loading modules via /dev/kmem is trivial thanks to a bunch of tutorials and
>> examples on the web, so this alone doesn't make life that much more difficult for attackers.
>
> /dev/kmem should be a config option too though
Yeah, but in practice this should work (somewhat old patch, should still
apply):
diff -durN 2.6.14-seal-orig/include/linux/capability.h 2.6.14-seal/include/linux/capability.h
--- 2.6.14-seal-orig/include/linux/capability.h 2005-10-29 15:15:00.000000000 +0100
+++ 2.6.14-seal/include/linux/capability.h 2005-10-29 15:25:48.000000000 +0100
@@ -311,7 +311,7 @@
#define CAP_EMPTY_SET to_cap_t(0)
#define CAP_FULL_SET to_cap_t(~0)
-#define CAP_INIT_EFF_SET to_cap_t(~0 & ~CAP_TO_MASK(CAP_SETPCAP))
+#define CAP_INIT_EFF_SET to_cap_t(~0 & ~CAP_TO_MASK(CAP_SETPCAP) & ~CAP_TO_MASK(CAP_SYS_RAWIO))
#define CAP_INIT_INH_SET to_cap_t(0)
#define CAP_TO_MASK(x) (1 << (x))
> (and /dev/mem should get the filter patch that fedora has ;-)
Agreed.
--
`On a scale of 1-10, X's "brokenness rating" is 1.1, but that's only
because bringing Windows into the picture rescaled "brokenness" by
a factor of 10.' --- Peter da Silva
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/