[OpenWrt-Devel] Building OpenWRT static kernels
david at lang.hm
Mon Mar 23 13:27:26 EDT 2015
On Mon, 23 Mar 2015, Jean-Michel Pouré - GOOZE wrote:
> Le lundi 23 mars 2015 à 16:21 +0100, Jonas Gorski a écrit :
>> This is currently not easily possible with OpenWrt, as it contains
>> several "out-of-tree" kernel modules, which aren't part of the kernel
>> sources and thus can't be statically linked into the kernel. For
>> example all wifi drivers are build this way, to use newer driver
>> versions with older / "stable" kernel versions.
>> For those build from the kernel sources, you could probably change all
>> CONFIG_FOO to CONFIG_FOO=y in package/kernel/linux/modules/*, which
>> will then make those modules built-in. But this won't work for the out
>> of tree modules.
> OK. So what kind of security offer OpenWRT to prevent an attacker from
> loading modules into the kernel?
you have to be root to load a module into the kernel, so standard Unix tools for
controlling root come into play.
Unless you go to extreme lengths, just disabling module loading isn't enough to
protect your system from root. root can alter memory (through /dev/kmem and
similar), insert breakpoints that change things, and if nothing else, change the
kernel image in the flash that will be loaded the next time you boot.
> I will try a static compilation and report.
> For information, D-Link routers from the GS-1210 line are compiled with
> static modules AND GrSec to offer memory randomization and prevent
> dynamic loading of modules. I don't know how many professional products
> are compiled with static modules, but my thumbs say "most of them".
you would be horrified to look under the covers of most linux based appliances,
a lot of them are running a stock redhat/centos install with very little
customization outside of the userspace app that they run. Gaping security holes
in such appliances are common.
-------------- next part --------------
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
More information about the openwrt-devel