how to disable loadable kernel moduels?

Lars Eighner luvbeastie at
Thu Feb 25 00:02:54 UTC 2010

On Wed, 24 Feb 2010, Robert Bonomi wrote:

> I'm building custom kernels for use in 'hostile' environments -- where I
> need to enforce "restricted" capabilities, even in the event of malicious
> 'root' access.  (if the bad guy has *physical* access to the machine, I
> know I'm toast, so I don't try to protect against _that_ in software --
> beyond the usual access-control mechnisms, that is.)
> To accomplish this, I need to (among other things) *completely* disable
> kernel 'loadable module' functionality.  Building the required monolithic
> kernel is no problem, and by booting from _physical_ read-only media, I
> can protect against bootloader/kernel/application substitution.  I just
> need to make it "impossible" to add modules to the running system.

I don't see how this is really bullet-proof possible.  Anyone with root
access can edit loader.conf and force a reboot --- or wait until a power
interuption or something causes a reboot.  You pretty much have to be able
to reboot the machine, soo...

It seems to me you could replace kldload (the command, not the system call)
with a dummy script which would raise the bar a bit.  You could remove (I
think) the modules you are afraid of, but someone with root priviledges
could replace them with trojans.

Lars Eighner
8800 N IH35 APT 1191 AUSTIN TX 78753-5266

More information about the freebsd-questions mailing list