![]() ![]() System calls are how user-space programs interact with the kernel they provide a way for programs to request services from the kernel (such as reading/writing files or creating processes). A filesystem is what your operating system uses to store files on disk (e.g., ext3/4), and each type of filesystem has its own driver which tells the OS how to read/write data on that particular type of filesystem. Without device drivers, your computer would not be able to use these devices properly (or at all).Īnother common use for LKMs is writing filesystem drivers. A device driver is a piece of software that allows your operating system to communicate with hardware devices such as printers or graphics cards. ![]() One of the most common uses for LKMs is writing device drivers. Some common uses are listed below: Device Drivers This isolation protects critical parts of the system from being attacked through vulnerabilities in less important components.Īs mentioned above, LKMs can be used for a variety of purposes such as device drivers, filesystems, system calls, network drivers, TTY line instructions, useful interpreters etc. They improve security – since modules are not part of the main kernel image, they cannot directly attack other parts of the system if compromised.They make it possible to add or remove functionality from the kernel without needing to recompile it – this makes debugging much easier, as problematic modules can simply be removed rather than having to recompile an entirely new kernel every time something needs to be changed or fixed.This reduces code duplication and clutter. ![]() They allow for code reuse – if multiple devices need support for the same driver or filesystem, that code can be placed in a single module which can then be used by all of those devices.There are several advantages to using LKMs: Advantages of Using Loadable Kernel Modules ![]() In Linux, the idea was adopted and expanded upon, with LKMs now used for a wide variety of purposes. (You may only need -cap-add SYS_MODULE.) But this path is a lot more complex, and not any more secure, than just running a host root process.The concept of loadable kernel modules was first introduced in Unix System V Release 4 (SVR4), where they were used primarily for device drivers. well, you can, if at startup time you bind-mount kernel headers from the host and build a module for the currently-running kernel, and if the container is running -privileged. If your process needs access to host devices, and loads custom kernel modules, and in general isn't compatible with Docker's isolation system, then it's better to run it directly on the host and not in a container. A kernel module can bypass everything - filesystem permissions, container boundaries, user IDs - and so a container typically isn't allowed to run insmod and similar commands, even if the container process is running as root. If a routine host-system update added a vendor patch to the kernel, it would break your image.Ĭontainers shouldn't be able to access things outside their own container without being explicitly granted the privilege to. But kernel modules are extremely specific to the exact kernel they've been compiled for. Docker has two major design goals here that get in your way:Ī container can run largely independently of its host system you can run an Alpine container with musl libc on a Fedora host with GNU libc. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |