Force all usermode helper calls through a single binary
configname: CONFIG_STATIC_USERMODEHELPER
Linux Kernel Configuration
└─>Security options
└─>Force all usermode helper calls through a single binary
In linux kernel since version 4.2 (release Date: 2015-08-30)
By default, the kernel can call many different userspace
binary programs through the "usermode helper" kernel
interface. Some of these binaries are statically defined
either in the kernel code itself, or as a kernel configuration
option. However, some of these are dynamically created at
runtime, or can be modified after the kernel has started up.
To provide an additional layer of security, route all of these
calls through a single executable that can not have its name
changed.
Note, it is up to this single binary to then call the relevant
"real" usermode helper binary, based on the first argument
passed to it. If desired, this program can filter and pick
and choose what real programs are called.
If you wish for all usermode helper programs are to be
disabled, choose this option and then set
STATIC_USERMODEHELPER_PATH to an empty string.
binary programs through the "usermode helper" kernel
interface. Some of these binaries are statically defined
either in the kernel code itself, or as a kernel configuration
option. However, some of these are dynamically created at
runtime, or can be modified after the kernel has started up.
To provide an additional layer of security, route all of these
calls through a single executable that can not have its name
changed.
Note, it is up to this single binary to then call the relevant
"real" usermode helper binary, based on the first argument
passed to it. If desired, this program can filter and pick
and choose what real programs are called.
If you wish for all usermode helper programs are to be
disabled, choose this option and then set
STATIC_USERMODEHELPER_PATH to an empty string.