From: Mihai RUSU (dizzy_at_roedu.net)
Date: Thu 05 Dec 2002 - 13:05:45 GMT
For some time I thought that running kernels without module support is a
complete solution to kernel rootkits. That was wrong as there are some
other ways except modules: /dev/mem, DMA programming ...
I am willing to try this setup to protect agains kernel rootkits:
- have a _base_ system which has only elemental programs including vserver
- have another / system (like /mnt/vserver) where I put files needed for a
server (daemons, sshd, system programs, development tools etc...)
- run a moduleless kernel with ctx support that after it boots it starts
another init in a different context having root in /mnt/vserver and
capbound to not: chroot, I/O direct access
Can that be done with vserver ? Is there a capability that sets the
permission to do I/O with the hardware directly ? If so can that be
"bounded" with vserver ?
Disclaimer: Any views or opinions presented within this e-mail are solely
those of the author and do not necessarily represent those of any company,
unless otherwise specifically stated.