On Sun, Sep 10, 2017 at 12:38:52PM +0200, Maxime Villard wrote:
> Le 10/09/2017 à 12:22, Manuel Bouyer a écrit :
> > On Sun, Sep 10, 2017 at 12:17:58PM +0200, Maxime Villard wrote:
> > > Re-thinking about this again, it seems to me we could simply add a flags
> > > field in modinfo_t, with a bit that says "if this module is builtin, then
> > > don't load it". To use compat_xyz, you'll have to type modload, and the
> > > kernel will load the module from the builtin list.
> >
> > If I compile a kernel with a built-in module, I expect this module to
> > be active. Otherwise I don't compile it.
>
> This kind of all-or-nothing mindset just does not work if we want to reduce
> the attack surface but still have features nearby. A level of indirection is
> needed, and it didn't seem to me that having per-module flags was a really bad
> idea.
A secure system is also a system which is simple. Adding indirections
doesn't keep the system simple.
--
Manuel Bouyer <bou...@antioche.eu.org>
NetBSD: 26 ans d'experience feront toujours la difference
--
