Bug 645220
| Summary: | [RFE] kernel: modules: sysctl to block module loading [rhel-4.9] | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 4 | Reporter: | Eugene Teo (Security Response) <eteo> | |
| Component: | kernel | Assignee: | Jerome Marchand <jmarchan> | |
| Status: | CLOSED ERRATA | QA Contact: | Evan McNabb <emcnabb> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 4.9 | CC: | dfeng, lwang, syeghiay | |
| Target Milestone: | rc | Keywords: | FutureFeature | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Enhancement | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 645221 (view as bug list) | Environment: | ||
| Last Closed: | 2011-02-16 15:52:34 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 645221 | |||
While it is possible to do this with /proc/sys/kernel/cap-bound by removing the CAP_SYS_MODULE capability, the likelihood of writing a wrong value to the proc file is high. Having a modules_disabled sysctl tunable would make it easier for users to disable module loading system-wide. Committed in 94.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/ An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2011-0263.html |
Description of problem: Backport of commit 3d43321b7015387cfebbe26436d0e9d299162ea1. Implement a sysctl file that disables module-loading system-wide. Value can only be set to "1", and is tested only if standard capability checks allow CAP_SYS_MODULE. Given existing /dev/mem protections, this should allow administrators a one-way method to block module loading after initial boot-time module loading has finished.