tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Proposal: Disable autoload of compat_xyz modules



Le 02/08/2017 à 10:19, matthew green a écrit :
compat_linux
compat_linux32
compat_netbsd32

all of these are used regularly by many netbsd users.  please don't
include them in your list of targets.  saying "modload is OK" is
not how we treat the GENERIC kernel -- if it's OK, then it's OK for
GENERIC is how we treat that.

the latter is also essential for our mips64 platforms.

As said earlier, the last one indeed should not be in this list. But the first
two should.

If it's not how we treat the GENERIC kernel, then let's treat it this way from
now on. There is a clear difference between "modload is ok" and "generic is ok";
the former needs root's intervention at some point, the latter is open to
unprivileged users. Closing the door to unprivileged processes by default is
precisely the goal here.

When a vulnerability is found in compat_linux or compat_linux32 - which
regularly is the case -, it won't affect the base system anymore.


Home | Main Index | Thread Index | Old Index