On Fri, Mar 22, 2013 at 3:33 PM, Lucas De Marchi <lucas.demarchi@xxxxxxxxxxxxxx> wrote: > I'm no huge fan of this feature. Indeed I think it's a pretty broken > feature (just not as broken as the install rules we need to carry for > compatibility reasons). I also think that for people that needs this a > custom kernel with things compiled-in would be way better. Just to add my two cents to the 'this is a bad idea'-choir: This feature seems to be at the wrong level of the stack. There is nothing forcing you to use libkmod to load modules, so there would be no guarantee that only the modules on the white-list can be loaded (i.e., adding this feature would not have the same guarantee as rebuilding the kernel with only the whitelisted modules enabled, contrary to what I guess one would expect?). Could you do something similar to what was done with finit_module() and the kernel_module_from_file hook? With the right security module it seems like you should be able to catch all modules and verify that they conform to whatever criterion you have. Of course, if Lucas wants to maintain this feature that is his call :-) Cheers, Tom -- To unsubscribe from this list: send the line "unsubscribe linux-modules" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
