modules: sysctl to block module loading

Implement a sysctl file that disables module-loading system-wide since there is no longer a viable way to remove CAP_SYS_MODULE after the system bounding capability set was removed in 2.6.25. Value can only be set to "1", and is tested only if standard capability checks allow CAP_SYS_MODULE. Given existing /dev/mem protections, this should allow administrators a one-way method to block module loading after initial boot-time module loading has finished. Signed-off-by: Kees Cook <kees.cook@canonical.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
2025-06-23 23:21:46 +00:00 · 2009-04-02 15:49:29 -07:00 · 2009-04-02 15:49:29 -07:00 · 3d43321b70
commit 3d43321b70
parent 8a6f83afd0
3 changed files with 28 additions and 2 deletions
--- a/kernel/module.c
+++ b/kernel/module.c
@ -778,6 +778,9 @@ static void wait_for_zero_refcount(struct module *mod)
 	mutex_lock(&module_mutex);
 }

+/* Block module loading/unloading? */
+int modules_disabled = 0;
+
 SYSCALL_DEFINE2(delete_module, const char __user *, name_user,
 		unsigned int, flags)
 {
@ -785,7 +788,7 @@ SYSCALL_DEFINE2(delete_module, const char __user *, name_user,
 	char name[MODULE_NAME_LEN];
 	int ret, forced = 0;

-	if (!capable(CAP_SYS_MODULE))
+	if (!capable(CAP_SYS_MODULE) || modules_disabled)
 		return -EPERM;

 	if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
@ -2349,7 +2352,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod,
 	int ret = 0;

 	/* Must have permission */
-	if (!capable(CAP_SYS_MODULE))
+	if (!capable(CAP_SYS_MODULE) || modules_disabled)
 		return -EPERM;

 	/* Only one module load at a time, please */