There is a growing trend of providing computing resources in a hosted computing environment, also called cloud computing. These hosted computing environments typically include one or more cloud-based servers that host computing resources for one or more guests to use. These cloud-based servers may host multiple virtual machines that are owned or managed by different entities (e.g., organizations or enterprises). Although owned or serviced by different entities, these virtual machines may share their presence on a common physical computer in the hosted computing environment. Typically, administrators of the virtual machines are given full administrative access (also referred to as root access) to their respective guests systems. The administrative access permits the administrator to load kernel modules into the kernel, such as a module containing a network card driver to allow for network access via that card. However, the full administrative access to one virtual machine may give an administrator the ability to load kernel modules that may affect the other virtual machines on the common physical computer. For example, by giving administrative access to administrators of different entities, the hosted computing resources become more susceptible to attacks by a guest on top of a hypervisor (also referred to as a virtual machine monitor (VMM)). The operators of the cloud computing would like to exercise a modicum of control over how much access a given guest might have to privileged execution on that guest, so as to minimize the attack surface the guest might have upon the hypervisor/VMM, while still allowing full administrative access (root access) to the guest system. In some operating systems (e.g., Linux operating systems), this translates to disallowing the loading of kernel modules, which execute in a privileged context. By limiting the privileged code to only that of a well known kernel, the operator of the hosted computing system can limit the attack surface between the guest and the VMM to only that of the well known and well tested interfaces intended to be used by the kernel. However, without the ability to load some modules, a system cannot function. For example, a module containing the network card driver must be loaded to allow for network access via that card.
Also, in the context of physical computing systems, some operating systems may limit what kernel modules can be loaded using digital signatures. If a kernel module is not digitally signed by a trusted authority, the operating system will not permit the kernel module to be loaded and executed.
These conventional approaches are limited in providing sufficient administrative access to system administrators, while providing control over which kernel modules can be loaded into a kernel of the operating system.