LSM hook for module loading and unloading

Tamir Carmeli carmeli.tamir at
Mon Dec 3 22:23:51 UTC 2018

Thanks for the reference for loadpin - I didn't know this module before.

I understand that unloading a module is a pretty far-fetched security
risk. I have one use case I think might be worth a shot: An exploit in
the module unloading flow or in a vulnerable process that unloads a
module enables an attacker to unload one of the iptable_filter modules
before some user space process adds an ip filter, and by that, enables
network traffic that otherwise would have been blocked.

Again, this is pretty far fetched, but an attacker that unloads a
module that contributes to the system security might hurt the system
On Mon, Dec 3, 2018 at 6:13 PM Casey Schaufler <casey at> wrote:
> On 12/1/2018 7:49 AM, Tamir Carmeli wrote:
> > Hi,
> > I believe that this is the right place to ask the question, but if it
> > isn't please let me know of a better forum to ask.
> This is the right list.
> > Is there a reason why LSM hooks for kernel module deletion and loading
> > don't exist? (for delete_module syscall and load_module kernel
> > function)
> security_kernel_load_data() is the hook for loading.
> > Is there some design problem I'm not aware of, or whether the
> > necessity hasn't come up from any of the mainline LSMs?
> No one has seen the need for a hook during unload.
> > I'm considering to write such patch, and I'd like to hear reasons for
> > why it might be a bad idea.
> To what end? Look at the Loadpin security module in security/loadpin
> for one approach to protecting module loading.
> > Thanks.

More information about the Linux-security-module-archive mailing list