Re: request_module vs. modprobe blacklist (and security subsystem implications)

From: Andi Kleen
Date: Wed Oct 21 2009 - 20:48:17 EST

Next message: Andi Kleen: "Re: [RFC][PATCH] Add prctl to set sibling thread names"
Previous message: Arjan van de Ven: "Re: [RFC][PATCH] Add prctl to set sibling thread names"
In reply to: Rusty Russell: "Re: request_module vs. modprobe blacklist (and security subsystem implications)"
Next in thread: Eric W. Biederman: "Re: request_module vs. modprobe blacklist (and security subsystem implications)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> The problem is that a number of programs (sendmail, procmail, sshd, and
> more) have all been seen to do operations which tried to load the ipv6
> module. These get into request_module(), hit the security hook, and are
> obviously denied since the security system doesn't see a need for those
> programs to be able to request a module be loaded.

What's the problem with being denied? After all the programs expect
this to error out

If you're worrying about the audit entries -- the obvious place
to fix that is somewhere in your security code. Don't make the rest
of the code uglier for this.

-Andi
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andi Kleen: "Re: [RFC][PATCH] Add prctl to set sibling thread names"
Previous message: Arjan van de Ven: "Re: [RFC][PATCH] Add prctl to set sibling thread names"
In reply to: Rusty Russell: "Re: request_module vs. modprobe blacklist (and security subsystem implications)"
Next in thread: Eric W. Biederman: "Re: request_module vs. modprobe blacklist (and security subsystem implications)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]