how to disable loadable kernel moduels?

[Robert Bonomi]

I'm building custom kernels for use in 'hostile' environments -- where I need 
to enforce "restricted" capabilities, even in the event of malicious 'root'
access.  (if the bad guy has *physical* access to the machine, I know I'm 
toast, so I don't try to protect against _that_ in software -- beyond the 
usual access-control mechnisms, that is.)

To accomplish this, I need to (among other things) *completely* disable
kernel 'loadable module' functionality.  Building the required monolithic
kernel is no problem, and by booting from _physical_ read-only media, I
can protect against bootloader/kernel/application substitution.  I just 
need to make it "impossible" to add modules to the running system. 

I don't see anything in the kernel configuration file options (e.g.,
something like an 'options NO_MODULES') that would do this 'painlessly',
so I'm looking at the 'brute force' solution of actually modifying the
kernel code myself.

Can somebody point me towrads the source module(s) that contain the
syscall 'dispatch' code and/or the loadable module implementation.

I'm looking to either disable the kernel function ENTIRELY, *or* (in
the spirit of 'making life difficult for the bad guys') letting it
do everything it normally does, *except* actually installing the module
_functionality_ -- i.e., kldload executes w/o error, kldstat shows that
the module "is" loaded, etc.; but any attempt to _use_ the functionality
therein is a no-op.


Peripherally related, is there tutorial/reference, anywhere, on how the 
kernel configuration/build process _works_?  _NOT_ a "how to make a custom
kernel", but the _mechnics_ of "what goes on behinds the scenes" during
'config' execution. e.g. stuff like where 'options {foo}' etc. is defined,
what files it causes to be included, what symbols it 'defines', and what
must be (conditionally) re-compiled when it is present, or it's value is 
changed.