Re: [RFC PATCH] kmod: add whitelist option

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Milan,

On Tue, Nov 6, 2012 at 1:20 PM, Milan Broz <mbroz@xxxxxxxxxx> wrote:
> On 11/06/2012 02:54 PM, Dave Reisner wrote:
>> On Tue, Nov 06, 2012 at 01:03:04PM +0100, Milan Broz wrote:
>>> The whitelist option allows setup of hardened systems, only
>>> modules on whitelist are allowed to load.
>>>
>>> This patch adds "whitelist" option and definition to libkmod
>>> allowing to work with whitelist (similar to blakclist, except
>>> whitelist, once defined, is unconditional).
>>>
>>> Without defined whitelist, there is no change.
>>>
>>> If at least one whitelist command is specified, module loading
>>> is limited to module matching loaded whitelist.
>>>
>>> For more context see bug
>>> https://bugzilla.redhat.com/show_bug.cgi?id=560084
>>
>> I don't really agree with the "surprise enablement" use case presented.
>> There aren't really any negatives presented that explain what sort of
>> problems it avoids. Generally, it seems like a bit of an edge case --
>> one where the user might as well just be compiling their own kernel with
>> a particular subsystem (v4l, 802.11, bluetooth) removed to prevent this
>> sort of thing.
>
> Hi,
>
> Yes, I fully agree, in ideal world I will not compile modules into kernel
> at all if I do not want them.
>
> But the problem comes from enterprise RHEL world - you have stock kernel
> with some set of modules (and you cannot or do not want to compile own,
> the reason can be lost of support, certification etc).

Besides the ugly fact of trying to vendor-lock-in the user, what is a
whitelist in kmod really helping? User could just remove the whitelist
from the config.

Really, if this patch is all about vendor-lock-in (regardless if it's
an open source friendly company), you already got my nack.


>
> And some customers want to harden system using several ways.

What's impeding them to remove the modules they don't ever want to
load from /lib/modules/ and rerun depmod? The whitelist would be much
more effective in a modules_install rule -> only install modules that
are in the whitelist.


I'll think about it, but in a first look I really don't see any benefit.


Lucas De Marchi
--
To unsubscribe from this list: send the line "unsubscribe linux-modules" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux