Bug 645220 – [RFE] kernel: modules: sysctl to block module loading [rhel-4.9]

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 645220 - [RFE] kernel: modules: sysctl to block module loading [rhel-4.9]

Summary:	[RFE] kernel: modules: sysctl to block module loading [rhel-4.9]

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	kernel (Show other bugs)
Sub Component:
Version:	4.9
Hardware:	Unspecified Unspecified

Priority	high Severity high
Target Milestone:	rc
Target Release:	---
Assigned To:	Jerome Marchand
QA Contact:	Evan McNabb
Docs Contact:

URL:
Whiteboard:
Keywords:	FutureFeature

Depends On:
Blocks:	645221
	Show dependency tree / graph

Reported:	2010-10-20 23:11 EDT by Eugene Teo (Security Response)
Modified:	2011-10-04 10:42 EDT (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Story Points:	---
Clone Of:
Clones:	645221 (view as bug list)
Environment:
Last Closed:	2011-02-16 10:52:34 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:0263	normal	SHIPPED_LIVE	Important: Red Hat Enterprise Linux 4.9 kernel security and bug fix update	2011-02-16 10:14:55 EST

Groups: None (edit)

Description Eugene Teo (Security Response) 2010-10-20 23:11:03 EDT

Description of problem:
Backport of commit 3d43321b7015387cfebbe26436d0e9d299162ea1.

Implement a sysctl file that disables module-loading system-wide.
    
Value can only be set to "1", and is tested only if standard capability checks allow CAP_SYS_MODULE.  Given existing /dev/mem protections, this should allow administrators a one-way method to block module loading after initial boot-time module loading has finished.

Comment 1 Eugene Teo (Security Response) 2010-10-20 23:13:30 EDT

While it is possible to do this with /proc/sys/kernel/cap-bound by removing the CAP_SYS_MODULE capability, the likelihood of writing a wrong value to the proc file is high. Having a modules_disabled sysctl tunable would make it easier for users to disable module loading system-wide.

Comment 3 Jerome Marchand 2010-12-01 11:17:08 EST

Posted:
http://post-office.corp.redhat.com/archives/rhkernel-list/2010-December/msg00034.html

Comment 4 Vivek Goyal 2010-12-21 10:15:10 EST

Committed in 94.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/

Comment 7 errata-xmlrpc 2011-02-16 10:52:34 EST

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0263.html

Note You need to log in before you can comment on or make changes to this bug.