Re: [RFC PATCH] kmod: add whitelist option

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/06/2012 06:24 PM, Lucas De Marchi wrote:
> Besides the ugly fact of trying to vendor-lock-in the user, what is a
> whitelist in kmod really helping? User could just remove the whitelist
> from the config.

This has nothing to do with vendor locking. The user cannot
modify whitelist because he has no privilege to do it.
(whitelist can be part of security policy and managed centrally for example.)

I mentioned RHEL, because I just explained where the request comes from.

> Really, if this patch is all about vendor-lock-in (regardless if it's
> an open source friendly company), you already got my nack.

Sorry, but this was quite unfair. I really do not understand how this
can implement vendor lock in.

It is just another security mechanism, nothing more, nothing less.

>>
>> And some customers want to harden system using several ways.
> 
> What's impeding them to remove the modules they don't ever want to
> load from /lib/modules/ and rerun depmod?

Package verification will scream about missing and changed files
for example.

> The whitelist would be much
> more effective in a modules_install rule -> only install modules that
> are in the whitelist.

But sure, if I can manipulate with module_install, I can also change my
kernel config to not include these subsystems at all. But this is not
use case we are trying to solve here.

Milan
--
To unsubscribe from this list: send the line "unsubscribe linux-modules" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux