On Wed, 2004-06-30 at 01:21, Arjan van de Ven wrote:
Hi,
as will be able to see in todays rawhide, we're experimenting with
adding a patch for gpg-signed kernel modules. The idea behind this is
for the administrator to *optionally* [1] restrict the set of modules
that can be linked into the kernel. In selinux context one can even
eventually allow different security contexts to load different subsets
of modules, by restricting certain contexts to a predefined gpg keys
only.
The work isn't complete yet by far, this is just a heads up. Input for
creative uses of this infrastructure is welcome :)
I have a long list of machines that would love this.. especially if it
can be worked into not voiding a RHEL contract in the future :).
Basically, there is always a class of machines that may be RHEL that
have to split between getting support and being able to show that kernel
cant be easily tampered with while running. [Now to just figure out how
to get some of the advanced patch-o-matic patches in for connection
tracking and not void my RHEL support ;)]
--
Stephen John Smoogen smoogen(a)lanl.gov
Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645
Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545
-- Please, I have had too much of the stupid today. Please wait until
-- tomorrow to say these things so my tolerance has refreshed.