Editing Loadable kernel module (section)

== Security ==
While loadable kernel modules are a convenient method of modifying the running kernel, this can be abused by attackers on a compromised system to prevent detection of their [[Process (computing)|processes]] or [[Computer file|file]]s, allowing them to maintain control over the system.  Many [[rootkit]]s make use of LKMs in this way. Note that, on most operating systems, modules do not help [[privilege elevation]] in any way, as elevated privilege is required to load a LKM; they merely make it easier for the attacker to hide the break-in.<ref>[http://www.ouah.org/reiterlkm.htm Exploiting Loadable Kernel Modules ] {{webarchive|url=https://web.archive.org/web/20120204165532/http://www.ouah.org/reiterlkm.htm |date=2012-02-04 }}</ref>

=== Linux ===
Linux allows disabling module loading via [[sysctl]] option <code>/proc/sys/kernel/modules_disabled</code>.<ref>{{cite web|title=Sysctl/kernel.txt|url=https://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=blob;f=Documentation/sysctl/kernel.txt;hb=HEAD|archive-url=https://archive.today/20130415070311/http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=blob;f=Documentation/sysctl/kernel.txt;hb=HEAD|url-status=dead|archive-date=April 15, 2013|access-date=January 4, 2013}}</ref><ref>{{cite web
 | url = https://outflux.net/blog/archives/2012/11/28/clean-module-disabling/
 | title = Clean module disabling
 | date = 2012-11-28
 | access-date = 2020-10-05
 | author = Kees Cook
 | publisher = outflux.net
 }}</ref>  An [[initial ramdisk|initramfs]] system may load specific modules needed for a machine at boot and then disable module loading.  This makes the security very similar to a monolithic kernel.  If an attacker can change the initramfs, they can change the kernel binary.

=== macOS ===
In [[OS X Yosemite]] and later releases, a kernel extension has to be [[Code signing|code-signed]] with a developer certificate that holds a particular "entitlement." Such a developer certificate is only provided by Apple on request and not automatically given to [[Apple Developer]] members. This feature, called "kext signing", is enabled by default and it instructs the kernel to stop booting if unsigned kernel extensions are present.<ref>{{Cite web|url=https://developer.apple.com/library/content/documentation/Security/Conceptual/System_Integrity_Protection_Guide/KernelExtensions/KernelExtensions.html|title=Kernel Extensions|date=September 16, 2015|website=Mac Developer Library|publisher=Apple|archive-url=https://web.archive.org/web/20160817085001/https://developer.apple.com/library/mac/documentation/Security/Conceptual/System_Integrity_Protection_Guide/KernelExtensions/KernelExtensions.html|archive-date=August 17, 2016|url-status=live|access-date=September 29, 2016}}</ref> In [[OS X El Capitan|{{Nowrap|OS X}} El Capitan]] and later releases, it is part of [[System Integrity Protection]].

In older versions of macOS, or if kext signing is disabled, a loadable kernel module in a kernel extension bundle can be loaded by non-root users if the OSBundleAllowUserLoad property is set to True in the bundle's property list.<ref>{{cite web|title=Info.plist Properties for Kernel Extensions|url=https://developer.apple.com/library/mac/#documentation/Darwin/Conceptual/KEXTConcept/Articles/infoplist_keys.html|publisher=[[Apple Inc.]]|access-date=September 27, 2012|url-status=live|archive-url=https://web.archive.org/web/20120926232217/http://developer.apple.com/library/mac/#documentation/Darwin/Conceptual/KEXTConcept/Articles/infoplist_keys.html|archive-date=September 26, 2012}}</ref> However, if any of the files in the bundle, including the executable code file, are not owned by root and group wheel, or are writable by the group or "other", the attempt to load the kernel loadable module will fail.<ref>{{man|8|kextload|Darwin}}</ref>

=== Solaris ===
Kernel modules can optionally have a cryptographic signature ELF section which is verified on load depending on the Verified Boot policy settings. The kernel can enforce that modules are cryptographically signed by a set of trusted certificates; the list of trusted certificates is held outside of the OS in the ILOM on some SPARC based platforms. Userspace initiated kernel module loading is only possible from the Trusted Path when the system is running with the Immutable Global Zone feature enabled.