On 11/06/2012 06:24 PM, Lucas De Marchi wrote: > Besides the ugly fact of trying to vendor-lock-in the user, what is a > whitelist in kmod really helping? User could just remove the whitelist > from the config. This has nothing to do with vendor locking. The user cannot modify whitelist because he has no privilege to do it. (whitelist can be part of security policy and managed centrally for example.) I mentioned RHEL, because I just explained where the request comes from. > Really, if this patch is all about vendor-lock-in (regardless if it's > an open source friendly company), you already got my nack. Sorry, but this was quite unfair. I really do not understand how this can implement vendor lock in. It is just another security mechanism, nothing more, nothing less. >> >> And some customers want to harden system using several ways. > > What's impeding them to remove the modules they don't ever want to > load from /lib/modules/ and rerun depmod? Package verification will scream about missing and changed files for example. > The whitelist would be much > more effective in a modules_install rule -> only install modules that > are in the whitelist. But sure, if I can manipulate with module_install, I can also change my kernel config to not include these subsystems at all. But this is not use case we are trying to solve here. Milan -- To unsubscribe from this list: send the line "unsubscribe linux-modules" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
