SAFE public projects git trees. - safe/jmp/linux-2.6/commit

author	Kees Cook <kees@ubuntu.com>
	Thu, 2 Apr 2009 22:49:29 +0000 (15:49 -0700)
committer	James Morris <jmorris@namei.org>
	Fri, 3 Apr 2009 00:47:11 +0000 (11:47 +1100)
commit	3d43321b7015387cfebbe26436d0e9d299162ea1
tree	bae6bd123c8f573e844a7af11c96eb5f6a73e0ee	tree \| snapshot
parent	8a6f83afd0c5355db6d11394a798e94950306239	commit \| diff

modules: sysctl to block module loading

Implement a sysctl file that disables module-loading system-wide since
there is no longer a viable way to remove CAP_SYS_MODULE after the system
bounding capability set was removed in 2.6.25.

Value can only be set to "1", and is tested only if standard capability
checks allow CAP_SYS_MODULE. Given existing /dev/mem protections, this
should allow administrators a one-way method to block module loading
after initial boot-time module loading has finished.

Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>

Documentation/sysctl/kernel.txt		diff \| blob \| history
kernel/module.c		diff \| blob \| history
kernel/sysctl.c		diff \| blob \| history