Index: sys/conf/options =================================================================== RCS file: /export/ncvs/src/sys/conf/options,v retrieving revision 1.295 diff -u -r1.295 options --- sys/conf/options 2001/09/29 22:32:00 1.295 +++ sys/conf/options 2001/10/04 08:07:37 @@ -526,3 +527,6 @@ # ed driver ED_NO_MIIBUS opt_ed.h + +# Disable loading and unloading of kernel modules +NO_KLD opt_kern_linker.h Index: sys/i386/conf/NOTES =================================================================== RCS file: /export/ncvs/src/sys/i386/conf/NOTES,v retrieving revision 1.961 diff -u -r1.961 NOTES --- sys/i386/conf/NOTES 2001/09/29 22:31:57 1.961 +++ sys/i386/conf/NOTES 2001/10/04 08:07:51 @@ -106,6 +106,10 @@ # options ROOTDEVNAME=\"ufs:da0s2e\" +# This prevents KLDs from being loaded at all. For those who want the +# added security but cannot run at an elevated securelevel(8). +#options NO_KLD + ##################################################################### # SMP OPTIONS: Index: sys/kern/kern_linker.c =================================================================== RCS file: /export/ncvs/src/sys/kern/kern_linker.c,v retrieving revision 1.69 diff -u -r1.69 kern_linker.c --- sys/kern/kern_linker.c 2001/09/12 08:37:44 1.69 +++ sys/kern/kern_linker.c 2001/10/04 07:47:05 @@ -27,6 +27,7 @@ */ #include "opt_ddb.h" +#include "opt_kern_linker.h" #include #include @@ -685,6 +686,10 @@ int kldload(struct thread* td, struct kldload_args* uap) { +#ifdef NO_KLD + /* Always fail */ + return EPERM; +#else char *kldname, *modname; char *pathname = NULL; linker_file_t lf; @@ -727,6 +732,7 @@ free(pathname, M_TEMP); mtx_unlock(&Giant); return (error); +#endif } /* @@ -735,6 +741,10 @@ int kldunload(struct thread* td, struct kldunload_args* uap) { +#ifdef NO_KLD + /* Always fail */ + return EPERM; +#else linker_file_t lf; int error = 0; @@ -764,6 +774,7 @@ out: mtx_unlock(&Giant); return (error); +#endif } /*