A software suspend decision point
Posted Nov 17, 2005 22:28 UTC (Thu) by iabervon
Parent article: A software suspend decision point
It seems to me like it would be sufficient to block rootkits to have a sysctl that permanently disables /dev/kmem; then Red Hat could poke it when it decides you're not resuming an image and rootkits wouldn't be able to use it. Anything running at that point is loaded out of the kernel or initrd image, and an attacker that could get something to run then could just as easily get it to run inside the kernel. The security properties of early userspace are somewhat special, and it's not like you'd want to resume an image under ordinary conditions.
to post comments)