Re: [RFC PATCH] kmod: add whitelist option

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Mar 22, 2013 at 1:18 PM, Tom Gundersen <teg@xxxxxxx> wrote:
> On Fri, Mar 22, 2013 at 3:33 PM, Lucas De Marchi
> <lucas.demarchi@xxxxxxxxxxxxxx> wrote:
>> I'm no huge fan of this feature. Indeed I think it's a pretty broken
>> feature (just not as broken as the install rules we need to carry for
>> compatibility reasons). I also think that for people that needs this a
>> custom kernel with things compiled-in would be way better.
>
> Just to add my two cents to the 'this is a bad idea'-choir: This
> feature seems to be at the wrong level of the stack. There is nothing
> forcing you to use libkmod to load modules, so there would be no
> guarantee that only the modules on the white-list can be loaded (i.e.,
> adding this feature would not have the same guarantee as rebuilding
> the kernel with only the whitelisted modules enabled, contrary to what
> I guess one would expect?).
>
> Could you do something similar to what was done with finit_module()
> and the kernel_module_from_file hook? With the right security module
> it seems like you should be able to catch all modules and verify that
> they conform to whatever criterion you have.
>
> Of course, if Lucas wants to maintain this feature that is his call :-)


So, after actually reviewing the code and not only the idea behind I
came to conclusion this is actually worse than I expected.

But I don't think having this in kernel and maintaining a list of
whitelisted module is good - otherwise it would be easier to just have
modules compiled statically. And if the kernel is going to call
userspace to allow/deny module loading, how this is supposed to be?
Another helper?

Josh/Milan, could you come up with an alternative solution to what you
are trying to accomplish? It seems to be a very limited use-case
(hardened systems) that may hurt others that don't want this,
rendering their machines unbootable.

thanks.
Lucas De Marchi
--
To unsubscribe from this list: send the line "unsubscribe linux-modules" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux