Description of problem: Backport of commit 3d43321b7015387cfebbe26436d0e9d299162ea1. Implement a sysctl file that disables module-loading system-wide. Value can only be set to "1", and is tested only if standard capability checks allow CAP_SYS_MODULE. Given existing /dev/mem protections, this should allow administrators a one-way method to block module loading after initial boot-time module loading has finished.
While it is possible to do this with /proc/sys/kernel/cap-bound by removing the CAP_SYS_MODULE capability, the likelihood of writing a wrong value to the proc file is high. Having a modules_disabled sysctl tunable would make it easier for users to disable module loading system-wide.
Posted: http://post-office.corp.redhat.com/archives/rhkernel-list/2010-December/msg00034.html
Committed in 94.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2011-0263.html