On Fri, Mar 22, 2013 at 3:10 PM, Tom Gundersen <teg@xxxxxxx> wrote: > On Fri, Mar 22, 2013 at 8:07 PM, Josh Boyer <jwboyer@xxxxxxxxx> wrote: >> On Fri, Mar 22, 2013 at 12:18 PM, Tom Gundersen <teg@xxxxxxx> wrote: >>> There is nothing >>> forcing you to use libkmod to load modules, so there would be no >>> guarantee that only the modules on the white-list can be loaded (i.e., >>> adding this feature would not have the same guarantee as rebuilding >>> the kernel with only the whitelisted modules enabled, contrary to what >>> I guess one would expect?). >> >> You are not incorrect, however rebuilding the kernel isn't always an >> option. > > Yes, so my understanding was that you want this white-listing feature > in order to get the same behavior as if you had rebuilt the kernel, > without actually having to do so. Is that correct? If so, then my > point was that you don't get the same behavior, as there are other > ways to load modules, so people might get a false sense of security... That is arugably true. I would imagine some additional mechanisms are necessary to ensure that the kmod tools are the only ones permitted to call finit_module and init_module. Perhaps via SELinux. josh -- To unsubscribe from this list: send the line "unsubscribe linux-modules" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
