Bug 1198949

Summary: Ordering problem with systemd-sysctl with kernel modules with classic network initscript
Product: [Fedora] Fedora Reporter: Shawn Starr <shawn.starr>
Component: systemdAssignee: systemd-maint
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: johannbg, jsynacek, lnykryn, msekleta, s, systemd-maint, zbyszek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-08 17:09:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Shawn Starr 2015-03-05 07:37:47 UTC 
Description of problem:
To block rootkits, you can use the sysctl parameter:

kernel.modules_disabled (set to 1) to disable, 0 does nothing


Version-Release number of selected component (if applicable):
All versions

How reproducible:
100%

Steps to Reproduce:

1) Using a QEMU/KVM VM, use virtio for network (or any network driver that has a kernel module). This may also likely break on non-virtualized systems.

1. Create a /etc/sysctl.d/harden.conf file, add kernel.modules_disabled=1
2. Save changes, reboot VM/system
3. When system comes up, no network available because no kernel module was loaded in time prior to the restriction being set.


Actual results:
Fails to start

Expected results:
Should have modules loaded prior to sysctl values being set.

Additional info:
I have not tested this yet with NetworkManager but will be doing also to confirm this happens as well.
Comment 1 Shawn Starr 2015-03-05 07:44:15 UTC 
The sysctl parameter lets you prevent further *new* kernel modules from being loaded after this value is set to 1, prior to this modules will be loaded.
Comment 2 Shawn Starr 2015-03-05 07:46:15 UTC 
Workaround: use rc.local and set this with sysctl command.
Comment 3 Zbigniew Jędrzejewski-Szmek 2015-03-08 17:09:06 UTC 
In a Linux system, modules can generally be loaded at any time. If you plug in new hardware, try to make a connection using some protocol family, use a different encryption algorithm, etc. Disabling module loading, while useful, is a very specialized setup. If you want to do it, you probably need to set the value after the system is fully booted. This should work, but you're on your own, and the bug tracker is not the right place for this.