On Mon, May 22, 2017 at 4:38 PM, Andy Lutomirski <l...@kernel.org> wrote: > I think that having the un-resettable mode is unnecessary. We should > have option that disables loading modules entirely and cannot be > unset. (That means no explicit loads and not implicit loads.) Maybe > we already have this. Otherwise, tightening caps needed for implicit > loads should just be a normal yes/no setting IMO.
Yup, /proc/sys/kernel/modules_disabled already does this. -- Kees Cook Pixel Security
