Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 9 Mar 2011 23:43:16 +0300
From: Vasiliy Kulikov <segoon@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: Re: VLANs in Owl way?

Piotr,

On Mon, Mar 07, 2011 at 09:18 +0100, Piotr Meyer wrote:
> only 'is_available' needs some 
> work (can we rely on  sysfs on /sys presence?).

That's an open issue :-)  There is some danger in mounting /sys by
default.  Permissions of some sysfs files were too restricted not long
ago:

 https://lkml.org/lkml/2011/2/4/109

Since sysfs was not aggresively audited, the probability of still not
known issues like obtaining too sensitive information by non-root
processes is rather high.  We'll probably do some hardening work with
sysfs.

> Are following compatible with Owl way? This is standard approach
> in others distros but I don't know what Owl say about modules loaded
> automagically by scripts? In typical Owl kernel 8021q this module
> is compiled-in and, with non-standard kernel, module can be explicitly 
> added to /etc/rc.d/rc.modules by admin.

I think it is OK since we officially support 8021q.  It is not loading
of arbitrary modules or modules for arbitrary device / network family.

> if [ ! -d /proc/net/vlan ]; then
>     if ! modprobe 8021q >/dev/null 2>&1 ; then
>         echo $"No 802.1Q VLAN support available in kernel for device ${DEVICE}"
>         exit 1
>     fi
> fi

One little problem with the script is that it uses "ip link add type
vlan", it is not supported by our old iproute ;)  We're planning to
upgrade iproute after toolchain upgrade.

Thanks for the suggestion,

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ