LSM hook for module loading and unloading
Casey Schaufler
casey at schaufler-ca.com
Tue Dec 4 01:51:48 UTC 2018
On 12/3/2018 2:23 PM, Tamir Carmeli wrote:
> Thanks for the reference for loadpin - I didn't know this module before.
>
> I understand that unloading a module is a pretty far-fetched security
> risk. I have one use case I think might be worth a shot: An exploit in
> the module unloading flow or in a vulnerable process that unloads a
> module enables an attacker to unload one of the iptable_filter modules
> before some user space process adds an ip filter, and by that, enables
> network traffic that otherwise would have been blocked.
How would a security module detect this case?
> Again, this is pretty far fetched, but an attacker that unloads a
> module that contributes to the system security might hurt the system
> security.
Without a user for the hook there'd be no reason to incorporate
it. I would suggest that if you can come up with an way to detect
and then prevent the attack you should look into adding that to
loadpin.
More information about the Linux-security-module-archive
mailing list