On Wed Jun 16 2010 at 06:31:59 -0700, Paul Goyette wrote: > The attached diffs add a new mod_disabled member to the module_t > structure, and set the value to false in each place that a new entry is > created. (Since all of the allocations of module_t structures are done > with kmem_zalloc() I could probably avoid the explicit setting of the > value to false.) > > The value is set to true whenever a module is removed from active duty > and returned to the module_builtin list. (I specifically did NOT mark a > module disabled if its modcmd(INIT) failed, under the assumption that it > might succeed in a later retry.)
Keeping the same security use case in mind, it would be better that after full module bootstrap (i.e. MODULE_CLASS_ANY) all builtin modules would be either initialized or disabled. Otherwise, if we assume that init may later succeed for whatever reason, an operator that checks a module with a security problem is not activated may be surprised to later find out that the same module has now been autoenabled.