LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for September 4, 2008

The Kernel Hacker's Bookshelf: UNIX Internals

DRI, BSD, and Linux

SCHED_FIFO and realtime throttling

LWN.net Weekly Edition for August 28, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Ksplice: kernel patches without reboots

Ksplice: kernel patches without reboots

Posted Apr 30, 2008 10:00 UTC (Wed) by dambacher (subscriber, #1710)
Parent article: Ksplice: kernel patches without reboots 

what if someone provides a patch to silently _include_ a security hole? 
How can a sysadmin make sure his kernel won't be patched that way?

(Log in to post comments)

Ksplice: kernel patches without reboots

Posted Apr 30, 2008 11:16 UTC (Wed) by nowster (subscriber, #67) [Link] 

The black hats have already done this. Modules that patch the kernel have been part of
rootkits for a while.

Ksplice: kernel patches without reboots

Posted Apr 30, 2008 12:24 UTC (Wed) by nix (subscriber, #2304) [Link] 

Don't allow module loading and remove CAP_SYS_RAWIO from the capability bounding set so that
use of /dev/mem, /dev/kmem et al is barred.

(Of course this stops you using ksplice, systemtap et al as well.)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds