On Mon, Jun 18, 2001 at 01:27:37AM +0000, Jim Breton wrote: > On Sun, Jun 17, 2001 at 02:44:48AM -0800, Ethan Benson wrote: > > > > compiling without module support would be mostly the same as just > > > > lcap CAP_SYS_MODULE > > > Fwiw, I have heard (though not tested myself) that even if you compile > your kernel _without_ loadable module support, you will still be able > to insert modules into the running kernel. well sort of. its not quite as simple as just loading the module. you have to manually insert the code into the running kernel and manually modify kernel memory through /dev/mem. > Again I have not tried this myself, but something to test for before > relying on a certain behavior. my lcap CAP_SYS_MODULE trick doesn't do you much good without disabling /dev/mem since its really quite trivial to go into /dev/mem and twiddle the bits of memory containing the capability bounding set. there is no example code to do this, but its explained on bugtraq quite some time ago. i think it could be done with only a couple lines of C. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpYm9iLVXDW2.pgp
Description: PGP signature