From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-43634-garchives=archives.gentoo.org@gentoo.org>)
	id 1Fptgx-0002v9-UL
	for garchives@archives.gentoo.org; Mon, 12 Jun 2006 21:11:24 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.6/8.13.6) with SMTP id k5CL8g07022230;
	Mon, 12 Jun 2006 21:08:42 GMT
Received: from popmail.jettissystems.com (popmail.jettissystems.com [38.118.146.212])
	by robin.gentoo.org (8.13.6/8.13.6) with ESMTP id k5CL0EJZ008444
	for <gentoo-user@lists.gentoo.org>; Mon, 12 Jun 2006 21:00:14 GMT
Received: from [192.168.0.104] (c-69-181-70-226.hsd1.ca.comcast.net [69.181.70.226])
	by popmail.jettissystems.com (Postfix) with ESMTP id BB57656D484
	for <gentoo-user@lists.gentoo.org>; Mon, 12 Jun 2006 14:00:12 -0700 (PDT)
Message-ID: <448DD5DE.1040001@badapple.net>
Date: Mon, 12 Jun 2006 14:00:14 -0700
From: kashani <kashani-list@badapple.net>
User-Agent: Thunderbird 1.5.0.4 (Windows/20060516)
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Module philosophy: Compile-in or Load
References: <448CFAAA.7030102@gt.rr.com> <fab7f7b40606121116w1f23dd2dofe34085714017984@mail.gmail.com>
In-Reply-To: <fab7f7b40606121116w1f23dd2dofe34085714017984@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Archives-Salt: 0abf5061-0d81-4fed-95e9-eb49acd2144e
X-Archives-Hash: 258e05af3e4f5d7049666f1a1a67a197

Evan Klitzke wrote:
> On 6/11/06, Anthony E. Caudel <acaudel@gt.rr.com> wrote:
>> I was wondering what gentoo-users think and practice about kernel
>> modules.  Do most compile them in the kernel or load them at boot-up.
> 
> I have heard a security argument made that it is safer to compile
> everything into the kernel, and disable support for modules entirely.
> The reason for this is that if someone can load malicious modules on
> your system they can basically circumvent any security systems you are
> using, including things like SELinux and grsec.

	If an attacker can load malicious modules into your kernel I'd argue 
that your security model has already failed and failed spectacularly. 
Sounds like security as thought up by someone who has never had to 
managed a system unless someone has a plausible attack scenario.

kashani
-- 
gentoo-user@gentoo.org mailing list