Is there a way to disallow further kernel module load/unload operations (including automatic loading of modules) pending (a) reboot (for security too), or in a less dire form (b) pending an explicit unlock request? (not sure the latter is actually needed)
While this could function like part of BSD securelevels I suppose (at least one other minimal part being disabling writes to /dev/*mem), my main interest is if that would make it possible to install more kernel and driver patches safely in multi-user mode, without having to worry about an inconsistent set of modules getting loaded prior to reboot. Of course in the long run, something like a combination of LiveUpgrade with a cloneable, promotable ZFS root would let any maintenance from minor patches through upgrades be done quickly, safely, and reversibly online, with the reboot to implement it being able to be deferred until relatively convenient. But let's face it, a lot of folks are going to drag their feet on reloading (esp. if they don't have space on their typically dinky pair of internal drives for a spare partition for LiveUpgrade) to such a configuration. I would think this could be done relatively quickly without that; and if patch installation checked for that capability and used it as needed if available (and the READMEs said as applicable that if patch xxxxxx-yy or later was installed, installing the patch the README applied to could be done at any time, with the understanding that module loading/unloading would be disabled until reboot. This message posted from opensolaris.org _______________________________________________ opensolaris-code mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/opensolaris-code
