On Sat, Oct 16, 2010 at 08:28:42PM +0000, Andrew Doran wrote: > > I may be missing your point but there are other ways of sabotaging > the securelvel mechanism without kernel modules available. It doesn't > seem like a new problem to me. A more obvious way to be mischievous > for sure but not new.
Generally speaking, the other ways require a reboot. So this is worse in what seems to me a relevant way. I'm starting to think the simplest thing -- though it is not so simple! -- that lets people building systems where securelevel actually is used to protect a TCB continue to do so, yet use kernel modules, is to record which modules may be autoloaded at boot time, whether by content hash or dev/ino (with the immutable requirement to ensure reuse does not screw us up). The latter seems like it _should_ be simpler but I bet in practice the former really is. Thor
