Modules make no difference to security. If I can add a module I can swap
the kernel and reboot the box, or I can patch the kernel. In fact I can
load modules into module-less kernels its just a bit harder.
> to accept a module we didn't build? Are there plans to implement some
> form of finger printing on modules down the road?
It doesnt help you without a lot more than just fingerprints. You can
revoke module loading at boot time if you want - it only makes things a
little harder.
If you want to make it theoretically impossible then you need to load
the modules required early then revoke the module loading and rawio
capabilities. At that point I should not be able to get raw hardware
access or load a module. You need to revoke both of the so I can't for
example hand load modules by poking in /dev/mem.
Alan
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/