lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 13 Jul 2009 11:02:14 +0200
From:	Andi Kleen <andi@...stfloor.org>
To:	Arjan van de Ven <arjan@...radead.org>
Cc:	Greg KH <greg@...ah.com>, Rusty Russell <rusty@...tcorp.com.au>,
	Ingo Molnar <mingo@...e.hu>,
	Siarhei Liakh <sliakh.lkml@...il.com>,
	linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	James Morris <jmorris@...ei.org>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Andi Kleen <ak@....de>, Thomas Gleixner <tglx@...utronix.de>,
	"H. Peter Anvin" <hpa@...or.com>, linux-cris-kernel@...s.com
Subject: Re: [PATCH v5] RO/NX protection for loadable kernel modules

Arjan van de Ven <arjan@...radead.org> writes:
> I've seen some of these case, where the distro kernel has something as
> a module, but the other parts of the distro the unconditionally load
> that module always. That makes no sense.

One good reason for this is that if something goes wrong with
the module you can still remove/blacklist the module. This can 
be very useful in distro deployment, where telling users
"please set flag xyz" is much easier than asking them to get 
a special kernel build. It also helps debugging when you're
trying to narrow down where a problem is.

But you can't do that with built-in drivers.

One way to avoid this would be to have a standard way to turn off
drivers/subsystems that are built in on the command line. Right
now that's difficult because the linked kernel doesn't even know
the driver names anymore. 

Perhaps we should keep the module names/metadata even in static
kernel? (and make CONFIG_MODULE on the subsystem level disappear?).

IMHO that would be a great cleanup anyways, avoiding one special
case in the driver build testing.

It would be also nice if you could cat some file in sys and it gave
you the module descriptions for example.

-Andi
-- 
ak@...ux.intel.com -- Speaking for myself only.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ