From: Kees Cook <kees@ubuntu.com>
Date: Thu, 2 Apr 2009 22:49:29 +0000 (-0700)
Subject: modules: sysctl to block module loading
X-Git-Tag: v2.6.31-rc1~395^2^2~45
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3d43321b7015387cfebbe26436d0e9d299162ea1;p=pandora-kernel.git

modules: sysctl to block module loading

Implement a sysctl file that disables module-loading system-wide since
there is no longer a viable way to remove CAP_SYS_MODULE after the system
bounding capability set was removed in 2.6.25.

Value can only be set to "1", and is tested only if standard capability
checks allow CAP_SYS_MODULE.  Given existing /dev/mem protections, this
should allow administrators a one-way method to block module loading
after initial boot-time module loading has finished.

Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
---

Reading git-diff-tree failed