logo

Linux - Modules

The word "Module" can mean different things in Linux.

Loadable Kernel Modules (LKM)

Previously, if you want a feature that is not included in the default kernel, or if you need to support a special hardware, you need to recompile the Linux kernel; now, you can use Loadable Kernel Modules (LKM) instead.

A kernel module is a piece of compiled binary code that is inserted directly into the Linux kernel, running at ring 0, the lowest and least protected ring of execution in the x86–64 processor.

  • list installed modules: lsmod, or check /proc/modules;
  • load modules on the fly (often used for devices, file systems, system calls, etc.)
    • insmod, simply tries to load a module.
    • modprobe, tries to determine if the module it is loading needs other modules and picks them up from a known location.
  • remove modules: rmmod
  • check dependencies depmod
  • check info modinfo
  • kernel module suffix: .ko (Kernel Object).
  • location: /lib/modules or /usr/lib/modules/.
  • use modinfo XXX to list the attributes of a Kernel module.
  • examples: firmware and device drivers.

Linux differ from macOS and Windows: it includes drivers at the kernel level.

Commands:

  • Install: $ insmod <module> (does not resolve dependencies) or $ modprobe <module> (more powerful than insmod)
  • Remove: $ rmmod <module>
  • List: $ lsmod (prints a the formatted contents of the /proc/modules)
  • Rebuild module dependancy database using /lib/modules/$(uname -r)/modules.dep: $ depmod -a
  • Info: $ modinfo /path/to/module.ko
  • List all available modules: ls -R /lib/modules/$(uname -r)

Linux Security Modules (LSM)

Linux Security Modules (LSM) are NOT loadable kernel modules. They are selectable at build-time via CONFIG_DEFAULT_SECURITY and can be overridden at boot-time.

Examples: SELinux (Redhat), AppArmor (Ubuntu).

SELinux

SELinux: an implementation of Mandatory Access Control (MAC)

As contrasted to the standard Unix model of Discretionary Access Control (DAC).

SELinux comes installed by default on Red Hat distributions.

To check your SELinux mode, run sestatus and check the output. For example:

$ sestatus
SELinux status:                 disabled

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing

Mode from config file:          error (Success)
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

concepts:

  • Multi-Level Security (MLS)
  • Multi-Category Security (MCS)

Permissive vs Enforcing Mode:

  • Permissive Mode: SELinux will log access control infringements but will not enforce them
  • Enforcing Mode: enforce!

AppArmor

Ubuntu Server's Mandatory Access Control (MAC) system. Equivelant to Redhat's SELinux.

AppArmor vs SELinux

  • SELinux identifies file system objects by inode number; difficult for administrators to set up and maintain.
  • AppArmor relies on path.

Under AppArmor an inaccessible file may become accessible if a hard link to it is created. SELinux's inode-based model has always inherently denied access through newly created hard links because the hard link would be pointing to an inaccessible inode.

Linux Pluggable Authentication Modules (PAM)

pam - Pluggable Authentication Modules for Linux.

PAM configuration files are stored in /etc/pam.