[rsbac] secure module handling
Amon Ott
rsbac@rsbac.org
Wed Sep 4 14:09:01 2002
On Wednesday, 4. September 2002 11:14, Andreas Baetz wrote:
> Hi,
>
> to make sure that only trusted kernel modules are loaded,
> I did the following (using RC and version 1.1.2):
> - assigned /lib/modules to rc_type_fd modules
> - assigned all binaries and libraries to rc_type_fd sysfiles
> - all roles have read_only to sysfiles and modules
> - created role module_admin
> - assigned rc_force_role of /sbin/insmod to role module_admin
> - removed add_to_kernel and remove_from_kernel
> from all roles except module_admin
> - removed all permissions to General_FD from
> role module_admin
>
> Now insmod can only load modules from /lib/modules and
> nobody can write there. The system works, but everytime
> modprobe, lsmod, rmmod or insmod are called, they try
> to access /etc/ld.co.cache. This is not granted. The modules
> get loaded and unloaded, though. Now I granted the role
> module_admin read to this file, but the inode changes every time
> ldconfig is run. But I don't want to grant read to /etc fo that role,
> because then root could create some module there and load it.
>
> What do you think about my solution ? Any comments ?
Your solution looks good.
You can safely set /etc/ld.so.cache to read-only to avoid these problems - it
only really needs to be recreated after library additions or updates.
You can also experiment with denying DELETE and RENAME only (e.g. FF flag) -
the file should be updated correctly, but the inode would not change.
Gabor's solution looks nice, too, but requires careful alias settings. Your
choice...
Amon.
--
http://www.rsbac.org