Bug 1198949 - Ordering problem with systemd-sysctl with kernel modules with classic network initscript
Summary: Ordering problem with systemd-sysctl with kernel modules with classic network...
Alias: None
Product: Fedora
Classification: Fedora
Component: systemd
Version: 22
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: systemd-maint
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2015-03-05 07:37 UTC by Shawn Starr
Modified: 2015-03-08 17:09 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-03-08 17:09:06 UTC
Type: Bug

Attachments (Terms of Use)

Description Shawn Starr 2015-03-05 07:37:47 UTC
Description of problem:
To block rootkits, you can use the sysctl parameter:

kernel.modules_disabled (set to 1) to disable, 0 does nothing

Version-Release number of selected component (if applicable):
All versions

How reproducible:

Steps to Reproduce:

1) Using a QEMU/KVM VM, use virtio for network (or any network driver that has a kernel module). This may also likely break on non-virtualized systems.

1. Create a /etc/sysctl.d/harden.conf file, add kernel.modules_disabled=1
2. Save changes, reboot VM/system
3. When system comes up, no network available because no kernel module was loaded in time prior to the restriction being set.

Actual results:
Fails to start

Expected results:
Should have modules loaded prior to sysctl values being set.

Additional info:
I have not tested this yet with NetworkManager but will be doing also to confirm this happens as well.

Comment 1 Shawn Starr 2015-03-05 07:44:15 UTC
The sysctl parameter lets you prevent further *new* kernel modules from being loaded after this value is set to 1, prior to this modules will be loaded.

Comment 2 Shawn Starr 2015-03-05 07:46:15 UTC
Workaround: use rc.local and set this with sysctl command.

Comment 3 Zbigniew Jędrzejewski-Szmek 2015-03-08 17:09:06 UTC
In a Linux system, modules can generally be loaded at any time. If you plug in new hardware, try to make a connection using some protocol family, use a different encryption algorithm, etc. Disabling module loading, while useful, is a very specialized setup. If you want to do it, you probably need to set the value after the system is fully booted. This should work, but you're on your own, and the bug tracker is not the right place for this.

Note You need to log in before you can comment on or make changes to this bug.