To use modprobe, root access is required. If malware already has root access, why bother using modprobe?
If an application runs as root (or any user) under mandatory access control (MAC) such as apparmor or filejail, it cannot use modprobe since MAC would prevent that.
Maybe we have to distinguish between
- a process running as root and MAC,
- “full root compromise”, i.e. a process that runs unconfined (without MAC) as root
- and kernel compromise?
The question of this thread is, is the kernel capable to resist full root compromise?