[rsbac] secure module handling

Amon Ott rsbac@rsbac.org
Wed Sep 4 14:09:01 2002

On Wednesday, 4. September 2002 11:14, Andreas Baetz wrote:
> Hi,
> to make sure that only trusted kernel modules are loaded,
> I did the following (using RC and version 1.1.2):
> - assigned /lib/modules to rc_type_fd modules
> - assigned all binaries and libraries to rc_type_fd sysfiles
> - all roles have read_only to sysfiles and modules
> - created role module_admin
> - assigned rc_force_role of /sbin/insmod to role module_admin
> - removed add_to_kernel and remove_from_kernel 
>   from all roles except module_admin
> - removed all permissions to General_FD from
>   role module_admin
> Now insmod can only load modules from /lib/modules and
> nobody can write there. The system works, but everytime
> modprobe, lsmod, rmmod or insmod are called, they try
> to access /etc/ld.co.cache. This is not granted. The modules
> get loaded and unloaded, though. Now I granted the role
> module_admin read to this file, but the inode changes every time
> ldconfig is run. But I don't want to grant read to /etc fo that role,
> because then root could create some module there and load it.
> What do you think about my solution ? Any comments ?

Your solution looks good.

You can safely set /etc/ld.so.cache to read-only to avoid these problems - it 
only really needs to be recreated after library additions or updates.

You can also experiment with denying DELETE and RENAME only (e.g. FF flag) - 
the file should be updated correctly, but the inode would not change.

Gabor's solution looks nice, too, but requires careful alias settings. Your