Don't allow module loading and remove CAP_SYS_RAWIO from the capability bounding set so that use of /dev/mem, /dev/kmem et al is barred. (Of course this stops you using ksplice, systemtap et al as well.)
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds