Re: [RFC PATCH] kmod: add whitelist option

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Mar 22, 2013 at 3:10 PM, Tom Gundersen <teg@xxxxxxx> wrote:
> On Fri, Mar 22, 2013 at 8:07 PM, Josh Boyer <jwboyer@xxxxxxxxx> wrote:
>> On Fri, Mar 22, 2013 at 12:18 PM, Tom Gundersen <teg@xxxxxxx> wrote:
>>> There is nothing
>>> forcing you to use libkmod to load modules, so there would be no
>>> guarantee that only the modules on the white-list can be loaded (i.e.,
>>> adding this feature would not have the same guarantee as rebuilding
>>> the kernel with only the whitelisted modules enabled, contrary to what
>>> I guess one would expect?).
>>
>> You are not incorrect, however rebuilding the kernel isn't always an
>> option.
>
> Yes, so my understanding was that you want this white-listing feature
> in order to get the same behavior as if you had rebuilt the kernel,
> without actually having to do so. Is that correct? If so, then my
> point was that you don't get the same behavior, as there are other
> ways to load modules, so people might get a false sense of security...

That is arugably true.  I would imagine some additional mechanisms are
necessary to ensure that the kmod tools are the only ones permitted to
call finit_module and init_module.  Perhaps via SELinux.

josh
--
To unsubscribe from this list: send the line "unsubscribe linux-modules" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux