tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Proposal: Disable autoload of compat_xyz modules



Le 10/09/2017 à 12:43, Manuel Bouyer a écrit :
On Sun, Sep 10, 2017 at 12:38:52PM +0200, Maxime Villard wrote:
Le 10/09/2017 à 12:22, Manuel Bouyer a écrit :
On Sun, Sep 10, 2017 at 12:17:58PM +0200, Maxime Villard wrote:
Re-thinking about this again, it seems to me we could simply add a flags
field in modinfo_t, with a bit that says "if this module is builtin, then
don't load it". To use compat_xyz, you'll have to type modload, and the
kernel will load the module from the builtin list.

If I compile a kernel with a built-in module, I expect this module to
be active. Otherwise I don't compile it.

This kind of all-or-nothing mindset just does not work if we want to reduce
the attack surface but still have features nearby. A level of indirection is
needed, and it didn't seem to me that having per-module flags was a really bad
idea.

A secure system is also a system which is simple. Adding indirections
doesn't keep the system simple.

True enough; but in this particular case, leaving compat features enabled just
for the sake of simplicity produces a system that is much more vulnerable than
if it had one level of indirection.


Home | Main Index | Thread Index | Old Index