Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20260502185608.24115-1-justin.swartz@risingedge.co.za>
Date: Sat,  2 May 2026 20:56:08 +0200
From: Justin Swartz <justin.swartz@...ingedge.co.za>
To: oss-security@...ts.openwall.com
Subject: Re: Re: CVE-2026-31431: CopyFail: linux local privilege scalation

On Fri, May 1, 2026 at 20:25:17 -0400, Reid Sutherland wrote:
> Why is userspace allowed to load modules in any capacity?

It's potentially useful for autoloading driver modules when PnP
devices are connected, which could be considered deadweight if
they were loaded, or baked into the kernel itself, when the
respective devices aren't present.


> Why do we need kernel modules for math?

To interact with cryptographic acceleration hardware, if present or
desired, and to provide support for kernel subsystems that rely on
encryption, like IPSec or WireGuard.


> I'm assuming any thoroughly qualified platform engineer compiles
> the host kernel without module support.  At least, that needs to
> make a comeback, bring back applying grsec patches and make
> menuconfig..

I'm thoroughly unqualified, so take my opinion with a bag of salt:

If you have a use case that allows you to avoid loadable kernel
modules indefinitely in a completely monolithic kernel then, by
all means, roll your kernel as such and you'll be slightly safer
than those who don't.

Kernel configuration minification doesn't seem to be spoken of
much anymore except by those who have fairly resource constrained
embedded systems that run Linux on some application processor.

If you're prepared to go that far, why not roll your own distro?

LFS is a potentially good starting point, but you can get by with
even less. For example: Linux, musl, busybox, just the applications
(and mandatory dependencies) you need, and some init scripts to tie
it all together.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.