The ExecShield patches
Posted Jul 20, 2005 6:47 UTC (Wed) by dlang
(✭ supporter ✭
In reply to: The ExecShield patches
Parent article: Kernel Summit 2005: The ExecShield patches
however, currently the primary reason why building a monolithic kernel to preveent root from loading modules is the fact that root will have access to /dev/mem (or /proc/kmem) and can therefor fiddle with memory directly.
if access to those is cut off then people running especially security critical systems can build kernels that don't support loading modules AND don't support access to /dev/mem and gain a considerable amount of protection.
and face it, firewalls don't really need modules, they have a very static hardware configuration.
so I definantly see this as a useful option.
to post comments)