add support for blocking kernel modules #2274
Conversation
|
The This seems OK to me even if it's a little incongruous with the expected result of using If the return code causes problems in practice, I can look at patching |
| @@ -621,6 +621,17 @@ Here are the metrics settings: | |||
| May be set to "none" (the default in older [variants](variants/), up through aws-k8s-1.19), "integrity" (the default for newer [variants](variants/)), or "confidentiality". | |||
| **Important note:** this setting cannot be lowered (toward 'none') at runtime. | |||
| You must reboot for a change to a lower level to take effect. | |||
| * `settings.kernel.modules.<name>.allowed`: Whether the named kernel module is allowed to be loaded. | |||
There was a problem hiding this comment.
Have you considered having a blocked list? The current API implementation doesn't allow us to delete keys in the settings so if I want to allow a module in the current scheme, I have to set the allowed flag as true, which practically has the same effect as not having the setting at all. With this scheme, users could end up with many keys that they might not really need if they later decide to allow some of the previously blocked modules. But with the blocked list, they only have to modify one list, instead of many keys.
Also with a list, you can save yourself the extra if and unless statements in the handlebars template:
And probably the extra KmodSetting type.
There was a problem hiding this comment.
I did consider it. The problem with lists is that they can't be incrementally updated; you have to reapply the current state with the desired additions or removals to get to the desired state. That makes it difficult to document independent steps for disabling individual modules, which is something I had to do for the CIS benchmark.
For compliance or policy reasons, the system administrator might want to prevent certain kernel modules from being loaded, if they are not expected to be used. This isn't meant to be an ironclad guarantee that the desired kernel functionality will never be available. The module could be built into the kernel instead, or loaded early in the boot, or a core dependency of another required module. Signed-off-by: Ben Cressey <bcressey@amazon.com>
Clean up the kernel modules setting and metadata on downgrade, since older releases don't support this functionality. Signed-off-by: Ben Cressey <bcressey@amazon.com>
bcressey
force-pushed
the
kernel-modules-setting
branch
from
f551baa
to
0d79949
Compare
|
Rebased to fix the merge conflict around migrations. |
Issue number:
Fixes #2235
Fixes #2236
Description of changes:
Provide a settings API for allowing or blocking specific kernel modules.
Testing done:
Confirmed that the new settings are available on upgrade, and cleaned up properly on downgrade.
Blocking a module rewrites
modprobe.conf:A blocked module isn't loaded:
Allowing a module rewrites
modprobe.conf:An allowed module can be loaded:
Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.