1 |
On 30/07/2013 11:36, Tanstaafl wrote: |
2 |
> On 2013-07-30 4:11 AM, Randolph Maaßen <r.maassen60@×××××.com> wrote: |
3 |
>> It needs a couple of kernel modules to work, but emerge will promt to |
4 |
>> you what it needs. |
5 |
> |
6 |
> Side question... |
7 |
> |
8 |
> I want to run the vmware tools on my gentoo VM (so the host can safely |
9 |
> power it down), but it also requires modules. |
10 |
> |
11 |
> For security reasons I have never enabled modules on my servers, but... |
12 |
|
13 |
It doesn't enhance security unless additional measures are taken (see |
14 |
below). |
15 |
|
16 |
> |
17 |
> Is there a way to do this securely, so that *only* the necessary modules |
18 |
> could ever be loaded? |
19 |
|
20 |
You can use gsecurity (which is in hardened-sources). With |
21 |
CONFIG_GRKERNSEC_MODSTOP enabled, you will be able to run: |
22 |
|
23 |
# echo 1 > /proc/sys/kernel/grsecurity/disable_modules |
24 |
|
25 |
After that, no further modules can be loaded. However, you would also |
26 |
need to disable privileged I/O and the ability to write to /dev/kmem, |
27 |
both of which grsecurity also facilitates. |
28 |
|
29 |
--Kerin |