Thanks for the reference for loadpin - I didn't know this module before.

I understand that unloading a module is a pretty far-fetched security
risk. I have one use case I think might be worth a shot: An exploit in
the module unloading flow or in a vulnerable process that unloads a
module enables an attacker to unload one of the iptable_filter modules
before some user space process adds an ip filter, and by that, enables
network traffic that otherwise would have been blocked.

Again, this is pretty far fetched, but an attacker that unloads a
module that contributes to the system security might hurt the system
security.
On Mon, Dec 3, 2018 at 6:13 PM Casey Schaufler [off-list ref] wrote:

On 12/1/2018 7:49 AM, Tamir Carmeli wrote:

quoted

Hi,
I believe that this is the right place to ask the question, but if it
isn't please let me know of a better forum to ask.

This is the right list.

quoted

Is there a reason why LSM hooks for kernel module deletion and loading
don't exist? (for delete_module syscall and load_module kernel
function)

security_kernel_load_data() is the hook for loading.

quoted

Is there some design problem I'm not aware of, or whether the
necessity hasn't come up from any of the mainline LSMs?

No one has seen the need for a hook during unload.

quoted

I'm considering to write such patch, and I'd like to hear reasons for
why it might be a bad idea.

To what end? Look at the Loadpin security module in security/loadpin
for one approach to protecting module loading.

quoted

Thanks.