Unverified Commit 923ad09a authored by Shawn Webb's avatar Shawn Webb
Browse files

Only look for the kernel module if not jailed.



KLD-related system calls have been hardened to disallow jailed users
from seeing any KLD information.

Signed-off-by: Shawn Webb's avatarShawn Webb <shawn.webb@hardenedbsd.org>
github-issue:	#34
parent 2a03aba1
...@@ -46,14 +46,20 @@ command_args="load ${secadm_rules}" ...@@ -46,14 +46,20 @@ command_args="load ${secadm_rules}"
secadm_prestart() secadm_prestart()
{ {
local jailed
jailed=$(sysctl -n security.jail.jailed)
if [ ! -f ${secadm_rules} ] if [ ! -f ${secadm_rules} ]
then then
echo "missing rules file: ${secadm_rules}" echo "missing rules file: ${secadm_rules}"
return 1 return 1
fi fi
if ! /sbin/kldstat -qm secadm; then if [ ${jailed} -eq 0 ]; then
/sbin/kldload secadm if ! /sbin/kldstat -qm secadm; then
/sbin/kldload secadm
fi
fi fi
} }
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment