Manuel Bouyer <bouyer%antioche.eu.org@localhost> writes: > On Sun, Sep 10, 2017 at 12:17:58PM +0200, Maxime Villard wrote: >> Re-thinking about this again, it seems to me we could simply add a flags >> field in modinfo_t, with a bit that says "if this module is builtin, then >> don't load it". To use compat_xyz, you'll have to type modload, and the >> kernel will load the module from the builtin list. > > If I compile a kernel with a built-in module, I expect this module to > be active. Otherwise I don't compile it. But maxv@ is not talking about you deciding to compile a kernel and putting in a line for a module. The question is about compat modules that are in GENERIC, and how to choose defaults so that users who want to use them aren't inconveniencyed and that users that don't want to use them don't have reduced security. Reading maxv@'s suggestion, I wondered about autoload of non-built-in modules (but maybe that is already disabled). My quick reaction is that it would be nice if the "don't autoload" flag had the same behavior for builtin and non-builtin modules, so that builtin/not is just a linking style thing, and not more. But I see your point about respecting explicit configuration. So I wonder about (without providing a patch of course): having a per-compiled-module flag to disable autoload, as suggested (in builtin and not, unless I'm confused) set the noautoload flag to true in modules that are deemed an unnecessary risk to people who have not made a choice to use them [so far this is maxv's proposal, I think] expand config(8) to be able to set "noautoload", so that if a module is included as part of a kernel, it will be marked noautoload if and noly if the flag is on the line, regardless of defaults. This would not affect the modules in stand; they'd still have the default value of the noautoload flag from the default add the noautload flag to in-tree kernel configs for the above modules which means that in Manuel's custom kernel he can just leave out the noautoload flag and then that kernel will behave as always. People trying to run a MODULAR kernel would still need to either edit their module sources to change the flag (which if you are a MODULAR type, is more or less like editing GENERIC) or do manual modload. Overall I find this disabling of things by default but leaving them in far preferable to not building them or removing them from sources in terms of getting to a better place in the security/usability trade space.
Attachment:
signature.asc
Description: PGP signature