From pst@jnx.com  Mon Apr 21 09:45:07 1997
Received: from red.jnx.com (red.jnx.com [208.197.169.254])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA29249
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 21 Apr 1997 09:45:05 -0700 (PDT)
Received: (from pst@localhost)
	by red.jnx.com (8.8.5/8.8.5) id JAA15578;
	Mon, 21 Apr 1997 09:44:29 -0700 (PDT)
Message-Id: <199704211644.JAA15578@red.jnx.com>
Date: Mon, 21 Apr 1997 09:44:29 -0700 (PDT)
From: Paul Traina <pst@jnx.com>
Reply-To: pst@jnx.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: LKMs are a security hole -- need way to disable them
X-Send-Pr-Version: 3.2

>Number:         3365
>Category:       kern
>Synopsis:       LKMs are a security hole -- need way to disable them
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 21 09:50:02 PDT 1997
>Closed-Date:    Mon Apr 21 17:36:41 PDT 1997
>Last-Modified:  Mon Apr 21 17:40:02 PDT 1997
>Originator:     Paul Traina
>Release:        FreeBSD 2.2-STABLE i386
>Organization:
Juniper Networks
>Environment:

Any FreeBSD machine where you'd like to stop someone who gains root from
mucking with your kernel.

>Description:

It's too easy for someone to gain root and add optional functionality to
your kernel (such as the snp pseudo-device, or perhaps BPF support...albiet
BPF is a bit harder).

>How-To-Repeat:

>Fix:
	
I'd like to request two changes:

(a) if securitylevel > N then LKM loading is disabled in the kernel
	(N = the same level that disables changing of the schg flag)

(b) a kernel option to disable LKM loading

Both of these are good 2.2-stable cannidates.
>Release-Note:
>Audit-Trail:

From: "Jin Guojun[ITG]" <jin@george.lbl.gov>
To: FreeBSD-gnats-submit@FreeBSD.ORG, pst@jnx.com
Cc:  Subject: Re: kern/3365: LKMs are a security hole -- need way to disable them
Date: Mon, 21 Apr 1997 10:06:14 -0700

 > Any FreeBSD machine where you'd like to stop someone who gains root from
 > mucking with your kernel.
 > 
 > >Description:
 > 
 > It's too easy for someone to gain root and add optional functionality to
 > your kernel (such as the snp pseudo-device, or perhaps BPF support...albiet
 > BPF is a bit harder).
 
 I am not clear how this can happen. One has to be root (having root access)
 to do LKM load. Some condition for one modifying the LKM object. So how easy
 for every one to gain root without root access right.
 
 If you put LKM object at a non-secure place, then it is not the LKM problem :-)
 
 -Jin
 

From: Paul Traina <pst@jnx.com>
To: "Jin Guojun[ITG]" <jin@george.lbl.gov>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: kern/3365: LKMs are a security hole -- need way to disable them 
Date: Mon, 21 Apr 1997 10:39:53 -0700

   From: "Jin Guojun[ITG]" <jin@george.lbl.gov>
   Subject: Re: kern/3365: LKMs are a security hole -- need way to disable them
   > Any FreeBSD machine where you'd like to stop someone who gains root from
   > mucking with your kernel.
   > 
   > >Description:
   > 
   > It's too easy for someone to gain root and add optional functionality to
   > your kernel (such as the snp pseudo-device, or perhaps BPF support...albiet
   > BPF is a bit harder).
   
   I am not clear how this can happen. One has to be root (having root access)
   to do LKM load. Some condition for one modifying the LKM object. So how easy
   for every one to gain root without root access right.
 
   If you put LKM object at a non-secure place, then it is not the LKM problem
 
 Just because someone's root doesn't mean that you want them to have the ability
 to modify your OS.  That's the whole point of the schg flag,  right now, LKM's
 are a hole in the securitylevel protection model.

From: Bruce Evans <bde@zeta.org.au>
To: FreeBSD-gnats-submit@freebsd.org, pst@jnx.com
Cc:  Subject: Re: kern/3365: LKMs are a security hole -- need way to disable them
Date: Tue, 22 Apr 1997 04:30:38 +1000

 >I'd like to request two changes:
 >
 >(a) if securitylevel > N then LKM loading is disabled in the kernel
 >	(N = the same level that disables changing of the schg flag)
 
 This is standard in all versions later than 2.1.0 (N = 0).
 
 Bruce
State-Changed-From-To: open->closed 
State-Changed-By: pst 
State-Changed-When: Mon Apr 21 17:36:41 PDT 1997 
State-Changed-Why:  
This is standard in all versions later than 2.1.0 (N = 0). 


From: Paul Traina <pst@jnx.com>
To: Bruce Evans <bde@zeta.org.au>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: kern/3365: LKMs are a security hole -- need way to disable them 
Date: Mon, 21 Apr 1997 17:37:25 -0700

 Cool, thanks.  Will close.
 
   From: Bruce Evans <bde@zeta.org.au>
   Subject: Re: kern/3365: LKMs are a security hole -- need way to disable them
   >I'd like to request two changes:
   >
   >(a) if securitylevel > N then LKM loading is disabled in the kernel
   >	(N = the same level that disables changing of the schg flag)
   
   This is standard in all versions later than 2.1.0 (N = 0).
   
   Bruce
   
>Unformatted:
