lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CA+55aFwWU+-+msC=QtCdYE942zuEHhoee58R9eY73V59OHV+sA@mail.gmail.com>
Date:	Wed, 10 Feb 2016 13:51:47 -0800
From:	Linus Torvalds <torvalds@...ux-foundation.org>
To:	David Rientjes <rientjes@...gle.com>
Cc:	"J. Bruce Fields" <bfields@...ldses.org>,
	Linux Kernel <linux-kernel@...r.kernel.org>
Subject: Re: kernel pruning script..

On Wed, Feb 10, 2016 at 1:05 PM, David Rientjes <rientjes@...gle.com> wrote:

>> > for f in $(ls /lib/modules); do
>> >         if rpm -qf "/lib/modules/$f" >/dev/null; then
>> >                 echo "keeping $f (installed from rpm)"
>> >         elif [ $(uname -r) = "$f" ]; then
>> >                 echo "keeping $f (running kernel) "
>> >         else
>> >                 echo "removing $f"
>> >                 rm -f "/boot/initramfs-$f.img" "/boot/System.map-$f"
>> >                 rm -f "/boot/vmlinuz-$f"   "/boot/config-$f"
>> >                 rm -rf "/lib/modules/$f"
>> >                 new-kernel-pkg --remove $f
>> >         fi
>> > done
>> > '
>
> I do something similar to this on a regular basis as well, but I also rm
> -rf /lib/firmware/$f

So I don't think most people do that. I know I don't. I think it comes
into play mainly if you do the packaged kernel thing (ie the
"builddeb" rule or the rpmbuild), and in that case you should never
remove the files manually anyway.

The normal firmware_install just puts things into /lib/firmware,
because the firmware files are supposed to be versioned on their own,
not by kernel version.

So I don't think that's a thing we want to add in general. However, I
*would* want to add sanity checks for deb-based things, right now we
just have that

   if rpm -qf "/lib/modules/$f" >/dev/null; then
        echo "keeping $f (installed from rpm)"

and we'd need something similar for a debian package.

Also note that what I have actually been using - and what I committed
- wasn't really the quoted original script from Bruce. I end up
pruning individual kernels by name (rather than pruning everything in
/lib/modules).

Finally, note that I removed the "ssh root@$1" model that Bruce had -
his script really makes more sense in his situation where he does this
to his target test machines, but I don't think that's the proper model
for a script like this in the general case.

So to get the behavior that Bruce's script had, you'd actually do

   ssh root@...get 'cd /lib/modules && prune-kernel *'

with the thing I committed.

So the script that is committed (it's in current -git as
"scripts/prune-kernel") is slightly different from this emailed
thread, but I'd be more than happy to take patches for it. I've used
my edited version for a long while (pretty much since Bruce posted
it), but it's a complete hack. I think it started out as a hack, and I
hacked it up (or down, depending on your situation) some more, and
while the largest reason for me to commit it was just to not have to
look it up every time I do a new machine install, I'm also hoping that
now that it's in the kernel tree, maybe people will say ".. but I'm
running Ubuntu, and that rpm test does nothing for me, so it should
add a line to do X".

But I still think that your firmware thing implies that you're using a
packaged kernel, and that you shouldn't be removing subdirectories by
hand.

           Linus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ