On Wed, 2019-01-30 at 22:04 +0300, Andrei Borzenkov wrote:
30.01.2019 21:49, Martin Wilck пишет:
On Wed, 2019-01-30 at 19:01 +0100, Jan Engelhardt wrote:
On Wednesday 2019-01-30 17:41, Martin Wilck wrote:
SUSE will blacklist a number of legacy and/or less frequently used file systems by default on SLES for security reasons.
The proposed list can be seen here:
https://github.com/openSUSE/suse-module-tools/pull/5/commits/8cb42fb6658f210...
The question is now whether we should do the same for openSUSE.
The question is whether perhaps autoloading should be inhibited by default, and then a distro like SLES can *whitelist* all those that likes.
That way, people can also whitelist their favorite filesystem *without* having to edit any file that rpm installed (which, as we know, is always leading to a conflict).
I'm unsure how this would work technically, as there is no "whitelist" directive in modprobe.d files, and no blacklisting by wildcard.
blacklist cramfs alias fs-cramfs cramfs
Should work, as "blacklist" only ignores built-in aliases, not aliases explicitly provided by configuration file(s).
I read the man page like you do, but it doesn't work like this: apollon:~ # cat /lib/modprobe.d/60-blacklist.conf blacklist cramfs alias fs-cramfs cramfs apollon:~ # modprobe -vn fs-cramfs (no output) apollon:~ # grep cramfs /proc/modules (no output) apollon:~ #
What we can do easily, though, is put the distro defaults under /lib/modules.d, so that users can change them any time under /etc/modules.d, similar to udev rules.
It is still all or nothing. It does not allow admin to override single directive (or single rule from udev rules file), so it won't allow "enabling" of single filesystem.
Nack. apollon:~ # sed '/cramfs/s/^/#/' /lib/modprobe.d/60-blacklist.conf >/etc/modprobe.d/60-blacklist.conf apollon:~ # modprobe -vn fs-cramfs insmod /lib/modules/4.19.5-1-default/kernel/fs/cramfs/cramfs.ko This would enable cramfs only. If you want all-or-nothing, you could simply run ">/etc/modprobe.d/60-blacklist.conf". Martin
Although of course in this case the right location for packaged files is /lib, not /etc.
-- Dr. Martin Wilck <mwilck@suse.com>, Tel. +49 (0)911 74053 2107 SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org