LWN.net Logo

Advertisement

TrustCommerce

E-Commerce & credit card processing - the Open Source way!

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LK2008: The values of the Linux community

LWN.net Weekly Edition for October 9, 2008

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

The ExecShield patches

The ExecShield patches

Posted Jul 20, 2005 6:47 UTC (Wed) by dlang (subscriber, #313)
In reply to: The ExecShield patches by jwb
Parent article: Kernel Summit 2005: The ExecShield patches

however, currently the primary reason why building a monolithic kernel to preveent root from loading modules is the fact that root will have access to /dev/mem (or /proc/kmem) and can therefor fiddle with memory directly.

if access to those is cut off then people running especially security critical systems can build kernels that don't support loading modules AND don't support access to /dev/mem and gain a considerable amount of protection.

and face it, firewalls don't really need modules, they have a very static hardware configuration.

so I definantly see this as a useful option.

(Log in to post comments)

The ExecShield patches

Posted Jul 20, 2005 7:27 UTC (Wed) by nix (subscriber, #2304) [Link]

People running firewalls can already remove CAP_RAWIO from the kernel's capability bounding set, which bans reads and writes to /dev/mem. (Obviously, you have to grant an X server this capability, but there shouldn't be one of those running on a firewall anyway, really.)

The ExecShield patches

Posted Jul 20, 2005 20:42 UTC (Wed) by dlang (subscriber, #313) [Link]

unless ou are running selinux (which most distros don't do, and I definantly don't trust RedHat enough to use it on a firewall) I am not aware of an easy way to do this.

if there is one please let me know how.

Re: access to /dev/mem

Posted Jul 22, 2005 1:47 UTC (Fri) by sweikart (guest, #4276) [Link]

Here's a good description of it:

http://lwn.net/1999/1202/kernel.php3

And here's an implementation for dropping capabilities at boot time:

http://lists.nas.nasa.gov/archives/ext/linux-security-aud...

Since you can disable access to /dev/mem with the capability bounding set, I would request that the semantics of /dev/mem not change.

-scott

Re: access to /dev/mem

Posted Jul 25, 2005 11:54 UTC (Mon) by nix (subscriber, #2304) [Link]

The one-liner I use on my firewall is online here.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds