Re: CVS commit: src

[John Nemeth <jnemeth%cue.bc.ca@localhost>]

On Dec 20,  9:44pm, Maxime Villard wrote:
} Le 20/12/2019 à 20:52, Martin Husemann a écrit :
} > On Fri, Dec 20, 2019 at 07:54:36PM +0100, Maxime Villard wrote:
} >> Alright, fair enough. I will revert my removal over the week-end, because it
} >> hasn't received sufficient public discussion.
} > 
} > Thank you!
} > 
} >> As well, I will revert secteam's
} >> killing of the feature, because there has been no public discussion on that at
} >> all.
} > 
} > Please do not. You *do* have a point here, but:
} > 
} >   1) public discussion upfront for a security issue is not always possible,
} >      as you are well aware
} 
} I'm afraid that's no excuse, in that several of the security issues in the
} past have had to be discussed publicly. (On your own personal insistence,
} by the way, and I see no reason why the policy would change all of a
} sudden just because you personally decided otherwise.)
} 
} >   2) there has been a public security advisory which assumes this change
} >      and would need to be revised in case of reversal
} 
} This only means secteam doubled down in being wrong.
} 
} Specifically, it seems to me that removing /dev/filemon would have been
} sufficient, instead of removing the kmod. People could re-create
} /dev/filemon with minimal effort, should they be interested in the feature.
} As opposed to that, rebuilding a kmod is a much bigger effort.

     I don't wish to get embroiled in this debate (even if I did
start it by requesting the reversion).  I just want to point out
that there is a relatively simple way disable the autoloading of
a module.  From module(9):

           The directory from which the module is loaded will be searched for
           a file with the same name as the module file, but with the suffix
           ``.plist''.  If this file is found, the prop_dictionary it contains
           will be loaded and passed to the module's modcmd() routine.  If
           this prop_dictionary contains a ``noautoload'' property which is
           set to ``true'' then the system will refuse to load the module.

The simplest way to do the above is:

modload -p -b noautoload=true > <module>.plist

}-- End of excerpt from Maxime Villard