[rsbac] About insmod - lkm

=?GB2312?Q?=C1=F5=B8=EF=B7=C7?= gfliu at redflag-linux.com
Thu Mar 6 09:39:22 MET 2003

Amon Ott:

=09That means, deprive root of ADD_TO_KERNEL privilege by means of=
 RC,and then protect the /lib/modules/* from writing by MAC with=
 only read authorization to insmod ,modprobe, rmmod to that DIR=
 by RC?
=09Does the ADD_TO_KERNEL in RC take effect in rsbac 1.1.2 or does=
 RSBAC change much in RC in 1.2? 

=3D=3D=3D=3D=3D=3D=3D 2003-03-04 09:47:00 =C4=FA=D4=DA=C0=B4=D0=C5=D6=D0=D0=B4=B5=C0=A3=BA=3D=3D=3D=3D=3D=3D=3D

>On Tuesday 04 March 2003 09:23, =C1=F5=B8=EF=B7=C7 wrote:
>> =09I have one question:
>> =09If root insmod a kernel module which has changed the=
 implement of some 
>important syscall,such as open, read and write, how can we=
 ensure the 
>security of kernel with RSBAC?
>We generally do not allow root's default role to insmod=
>Instead, insmod, modprobe, rmmod get a special RC role which has=
 read access 
>only to controlled files, e.g. libraries and /lib/modules/*.
>Additionally, raw access to kernel mem is denied by default, so=
 you cannot 
>bypass the official module syscalls.
>http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
>rsbac mailing list
>rsbac at rsbac.org

=3D =3D =3D =3D =3D =3D =3D =3D =3D =3D =3D =3D =3D =3D =3D =3D =3D =3D =3D =3D

=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1gfliu at redflag-linux.com

More information about the rsbac mailing list