Solved kldunload Protections - Is there any mechanism to prevent a crash from liberal use of kldunload?

gladiola

Active Member

Reaction score: 14
Messages: 126

If kldload will allow us to load a kernel module, and kldunload will allow us to unload a kernel module, then are there protections to prevent the unloading of a module that will destabilize the system?

As I look over docs for kldunload, it seems to me that the main idea is that root access is needed to implement either command. I take it that is the only restriction that will be put upon kldunload? If an attacker gains root, then can they just kldunload until the system breaks? Can one just kldunload until the system page faults at anything and stalls? Just curious.
 

monwarez

Active Member

Reaction score: 58
Messages: 142

You can increase securelevel to 1 to prevent loading and unloading of kernel module.
 

Zirias

Daemon

Reaction score: 1,416
Messages: 2,469

I'd say if an attacker ever gains root, the machine sabotaged by unloading modules should be the least of your concerns (in fact, you could be thankful for that cause it will quickly make you aware of the hostile takeover…)

That said, monwarez is right, securelevel offers a protection here. (edit: a much larger concern would be the attacker clandestinely loading additional modules to hide traces, securelevel can prevent that as well)

Additional info: unloading a module will call cleanup-functions in that module, and a module can refuse to unload (which a well-behaved module will do when it's currently in use). Of course, this can be overridden by the -f flag to kldunload(8).
 

ralphbsz

Son of Beastie

Reaction score: 2,301
Messages: 3,211

kldunload already is safe, as it does not allow unloading modules that are in use. It should not make the system unstable. If it does, you have a bug (or you are running an unsupported version or you are running on faulty or unsupported hardware). It already allows overriding that safety switch, which is unfortunately necessary.

If kldload will allow us to load a kernel module, and kldunload will allow us to unload a kernel module, then are there protections to prevent the unloading of a module that will destabilize the system?
We assume that root knows what they're doing. If they don't know what they're doing, they need to read the documentation.

If an attacker gains root, then can they just kldunload until the system breaks?
If an attacker gains root, they can just "shutdown -h now". Or reformat your disk. If an attacker gains root, the war has been lost, so arguing what they can or can not do is pointless.

Can one just kldunload until the system page faults at anything and stalls? Just curious.
See above. In theory, unloading modules should be safe, although it clearly removes functionality (but not functionality that is currently in use, unless one uses the override option).
 

Alain De Vos

Daemon

Reaction score: 613
Messages: 2,073

By unloading a module the possible surface off attack decreases. In fact running with no modules at all is the safest.
 
OP
gladiola

gladiola

Active Member

Reaction score: 14
Messages: 126

Thank you for these additional comments. The question was answered by monwarez, above.

In fact running with no modules at all is the safest.

ZFS has its own ko. Hardware drivers, some network interface capabilities like bridge, ... these items necessary to run the basics of a given system might require kernel modules. Running with no modules might be the safest, but it might challenge some of the assumptions about configuring a system. This is a good point. It seems to highlight the risks we accept as we initially configure a machine.

The situation that brought about my question was that I had some machines that were configured to require a kernel mod; if the machine's kernel was edited after that mod in a way that removed a kernel mod after boot, and then a program called a command which required the removed mod, the machine would page fault. Since I have observed this, and the machine was subsequently unresponsive after that page fault, I felt that this was an unsafe stop to the machine. This made me wonder about the behavior of machines with improperly edited configurations. Like, what if someone kldunloaded every item in kldstat? Could someone automate a crash by just unloading it all? I wondered.

If an attacker gains root, the war has been lost, so arguing what they can or can not do is pointless.

No. Systems can be defended against missteps and offensive actions by even the root user. For example, changes made by an admin might result in the automatic advisement of others in the same group. Just because an attacker gains root, it does not mean that everything has been lost. There is plenty that can be done in response to such an attack. My question was not about giving up all hope just because a big problem manifested itself.

As someone who has been programming for 35 years, I was aware that a root user could shut down the machine. I feel like I should mention that basic advice like being told root can shut the machine off was received as if it were a little bit condescending. It was kind of insulting to read that. Later, I began to realize that maybe some people would just give up if an attacker got root. Perhaps we can look beyond the abandonment of hope in the face of a catastrophic failure and recognize that there can be more which could still be done. The question was about kldunload safety. It has been answered. Thanks.
 
Top