[vox-tech] Linux file/module security proposal.
Bill Broadley
bill at cse.ucdavis.edu
Fri Aug 22 09:37:44 PDT 2008
Wes Hardaker wrote:
>>>>>> On Thu, 21 Aug 2008 18:32:29 -0700, Bill Broadley <bill at cse.ucdavis.edu> said:
>
> BB> Does your distro/kernel allow writing to memory?
>
> I meant protected even via root access... But SElinux should provide
> this (I'm not an SELinux expert, mind you).
I meant via root. Does it work on your system by default?
> BB> Not sure how you could prevent future loading of modules, or require
> BB> loading only from RO media.
>
> You'd have to only allow loading from the RO media. Anytime you wanted
> something new, you'd need to boot from something new. It'd be a pain
> when you needed to change, of course.
I'm not against it in principal, I just don't see how it would be practical to
implement. The signed modules has an implementation, and doesn't require the
reboots. But does require a module to be signed private key. So you can
leave 100s of unused modules around and load them willy nilly, but still can't
run a trojan module... all without having any exposure since the private key
does not need to be on the system.
More information about the vox-tech
mailing list