Le 10/09/2017 à 12:43, Manuel Bouyer a écrit :
On Sun, Sep 10, 2017 at 12:38:52PM +0200, Maxime Villard wrote:Le 10/09/2017 à 12:22, Manuel Bouyer a écrit :On Sun, Sep 10, 2017 at 12:17:58PM +0200, Maxime Villard wrote:Re-thinking about this again, it seems to me we could simply add a flags field in modinfo_t, with a bit that says "if this module is builtin, then don't load it". To use compat_xyz, you'll have to type modload, and the kernel will load the module from the builtin list.If I compile a kernel with a built-in module, I expect this module to be active. Otherwise I don't compile it.This kind of all-or-nothing mindset just does not work if we want to reduce the attack surface but still have features nearby. A level of indirection is needed, and it didn't seem to me that having per-module flags was a really bad idea.A secure system is also a system which is simple. Adding indirections doesn't keep the system simple.
True enough; but in this particular case, leaving compat features enabled just for the sake of simplicity produces a system that is much more vulnerable than if it had one level of indirection.