New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add support for blocking kernel modules #2274
add support for blocking kernel modules #2274
Conversation
The This seems OK to me even if it's a little incongruous with the expected result of using If the return code causes problems in practice, I can look at patching |
@@ -621,6 +621,17 @@ Here are the metrics settings: | |||
May be set to "none" (the default in older [variants](variants/), up through aws-k8s-1.19), "integrity" (the default for newer [variants](variants/)), or "confidentiality". | |||
**Important note:** this setting cannot be lowered (toward 'none') at runtime. | |||
You must reboot for a change to a lower level to take effect. | |||
* `settings.kernel.modules.<name>.allowed`: Whether the named kernel module is allowed to be loaded. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have you considered having a blocked
list? The current API implementation doesn't allow us to delete keys in the settings so if I want to allow a module in the current scheme, I have to set the allowed
flag as true, which practically has the same effect as not having the setting at all. With this scheme, users could end up with many keys that they might not really need if they later decide to allow some of the previously blocked modules. But with the blocked
list, they only have to modify one list, instead of many keys.
Also with a list, you can save yourself the extra if
and unless
statements in the handlebars template:
{{#each settings.kernel.modules.blocked}}
install {{this}} /bin/true
{{/each}}
And probably the extra KmodSetting
type.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did consider it. The problem with lists is that they can't be incrementally updated; you have to reapply the current state with the desired additions or removals to get to the desired state. That makes it difficult to document independent steps for disabling individual modules, which is something I had to do for the CIS benchmark.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice! 🚀
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
😶🌫️
For compliance or policy reasons, the system administrator might want to prevent certain kernel modules from being loaded, if they are not expected to be used. This isn't meant to be an ironclad guarantee that the desired kernel functionality will never be available. The module could be built into the kernel instead, or loaded early in the boot, or a core dependency of another required module. Signed-off-by: Ben Cressey <bcressey@amazon.com>
Clean up the kernel modules setting and metadata on downgrade, since older releases don't support this functionality. Signed-off-by: Ben Cressey <bcressey@amazon.com>
f551baa
to
0d79949
Compare
Rebased to fix the merge conflict around migrations. |
Issue number:
Fixes #2235
Fixes #2236
Description of changes:
Provide a settings API for allowing or blocking specific kernel modules.
Testing done:
Confirmed that the new settings are available on upgrade, and cleaned up properly on downgrade.
Blocking a module rewrites
modprobe.conf
:A blocked module isn't loaded:
Allowing a module rewrites
modprobe.conf
:An allowed module can be loaded:
Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.