On Fri, Mar 22, 2013 at 2:46 PM, Daniel Dadap <ddadap@xxxxxxxxxx> wrote: > On 03/22/2013 11:49 AM, Lucas De Marchi wrote: >> >> On Fri, Mar 22, 2013 at 1:18 PM, Tom Gundersen<teg@xxxxxxx> wrote: >>> >>> On Fri, Mar 22, 2013 at 3:33 PM, Lucas De Marchi >>> <lucas.demarchi@xxxxxxxxxxxxxx> wrote: >>>> >>>> I'm no huge fan of this feature. Indeed I think it's a pretty broken >>>> feature (just not as broken as the install rules we need to carry for >>>> compatibility reasons). I also think that for people that needs this a >>>> custom kernel with things compiled-in would be way better. >>> >>> Just to add my two cents to the 'this is a bad idea'-choir: This >>> feature seems to be at the wrong level of the stack. There is nothing >>> forcing you to use libkmod to load modules, so there would be no >>> guarantee that only the modules on the white-list can be loaded (i.e., >>> adding this feature would not have the same guarantee as rebuilding >>> the kernel with only the whitelisted modules enabled, contrary to what >>> I guess one would expect?). >>> >>> Could you do something similar to what was done with finit_module() >>> and the kernel_module_from_file hook? With the right security module >>> it seems like you should be able to catch all modules and verify that >>> they conform to whatever criterion you have. >>> >>> Of course, if Lucas wants to maintain this feature that is his call :-) >> >> >> So, after actually reviewing the code and not only the idea behind I >> came to conclusion this is actually worse than I expected. >> >> But I don't think having this in kernel and maintaining a list of >> whitelisted module is good - otherwise it would be easier to just have >> modules compiled statically. And if the kernel is going to call >> userspace to allow/deny module loading, how this is supposed to be? >> Another helper? >> >> Josh/Milan, could you come up with an alternative solution to what you >> are trying to accomplish? It seems to be a very limited use-case >> (hardened systems) that may hurt others that don't want this, >> rendering their machines unbootable. > > > If the goal is to harden a system by allowing only certain modules to load, > then how about using CONFIG_MODULE_SIG_FORCE, and only signing modules on > the whitelist, and keeping kmod out of it completely? That seems like > exactly the kind of use case that CONFIG_MODULE_SIG_FORCE would be good for. That's a fine suggestion for individuals building their own kernel. One I would indeed recommend. It does not work for people using a distro provided kernel but wanting to limit the modules loaded on their individual systems. Now, there is something almost the opposite they could do. If the distro modules are signed, they could pass the enforcing parameter to the kernel and strip the signature off of any modules they don't want loaded. Might work. josh -- To unsubscribe from this list: send the line "unsubscribe linux-modules" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html