On Fri, Mar 22, 2013 at 12:18 PM, Tom Gundersen <teg@xxxxxxx> wrote: > On Fri, Mar 22, 2013 at 3:33 PM, Lucas De Marchi > <lucas.demarchi@xxxxxxxxxxxxxx> wrote: >> I'm no huge fan of this feature. Indeed I think it's a pretty broken >> feature (just not as broken as the install rules we need to carry for >> compatibility reasons). I also think that for people that needs this a >> custom kernel with things compiled-in would be way better. > > Just to add my two cents to the 'this is a bad idea'-choir: This > feature seems to be at the wrong level of the stack. There is nothing > forcing you to use libkmod to load modules, so there would be no > guarantee that only the modules on the white-list can be loaded (i.e., > adding this feature would not have the same guarantee as rebuilding > the kernel with only the whitelisted modules enabled, contrary to what > I guess one would expect?). You are not incorrect, however rebuilding the kernel isn't always an option. > Could you do something similar to what was done with finit_module() > and the kernel_module_from_file hook? With the right security module > it seems like you should be able to catch all modules and verify that > they conform to whatever criterion you have. That is also something to look into. josh -- To unsubscribe from this list: send the line "unsubscribe linux-modules" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html