On Fri, May 15, 2026 at 07:20:18PM +0200, Michal Gorlas wrote: > Add option to restrict the module auto-loading to CAP_SYS_ADMIN. > This is heavily inspired by CONFIG_GRKERNSEC_MODHARDEN of the latest > available Grsecurity patches [1]. Instead of checking whether the > callers' UID is 0, check whether the calling process has CAP_SYS_ADMIN. > The reasoning here is that many modules are autoloaded by systemd > services which are running as privileged users, but do not have UID 0. > While systemd-udevd runs as root, systemd-network (which often > auto-loads a module) for example runs as system user (UID range 6 to > 999). > > When enabled, reduces attack surface where unprivileged users can trigger > vulnerable module to be auto-loaded, to then exploit it. Recent LPEs > (CopyFail [3], DirtyFrag [4]) for example, would have been mitigated > with this option enabled as long as the vulnerable modules are not built-in > (or already loaded at the point of running the exploit).
This sounds potentially useful as an optional feature. Kees, you've looked at grsec features in the past, do you have any thoughts about this? Sami
