On 12/3/2018 2:23 PM, Tamir Carmeli wrote:

Thanks for the reference for loadpin - I didn't know this module before.

I understand that unloading a module is a pretty far-fetched security
risk. I have one use case I think might be worth a shot: An exploit in
the module unloading flow or in a vulnerable process that unloads a
module enables an attacker to unload one of the iptable_filter modules
before some user space process adds an ip filter, and by that, enables
network traffic that otherwise would have been blocked.

How would a security module detect this case?

Again, this is pretty far fetched, but an attacker that unloads a
module that contributes to the system security might hurt the system
security.

Without a user for the hook there'd be no reason to incorporate
it. I would suggest that if you can come up with an way to detect
and then prevent the attack you should look into adding that to
loadpin.