[go: up one dir, main page]
|
|
Log in / Subscribe / Register

A firewall for device drivers

A firewall for device drivers

Posted Aug 24, 2021 2:07 UTC (Tue) by ras (subscriber, #33059)
In reply to: A firewall for device drivers by dullfire
Parent article: A firewall for device drivers

> As long drivers are built as modules, you can just not include banned drivers in the initrd, and stick modprobe blacklists.

Unfortunately the VM itself can change the blacklists, and obtain the modules from somewhere and insmod them. When your goal is to ensure someone who has taken over the VM can't escape from it, that's not a solution.

However, a simple sysfs "blown fuse flag" (ie, one you can not change back) that turns off module loading would work. You just run set it in the initrd, after it's loaded all the modules. There already is a corresponding capability.

to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds