Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <282213fe-14f1-408b-86f4-d880fd800d8c@molgen.mpg.de>
Date: Sun, 17 May 2026 15:48:00 +0200
From: Donald Buczek <buczek@...gen.mpg.de>
To: oss-security@...ts.openwall.com
Subject: Re: Recent Kernel exploits, attack surface reduction,
 example IPSEC

On 5/16/26 17:09, Bernhard R. Link wrote:
> Security wise, supporting allow-lists instead of only deny-lists
> would make it easier for systems where you know beforehand what you
> want (I guess many server systems might end up in there). Of course
> you can just load everything and disable module loading, but then
> you'll need a restart whenever what you load needs to be changed.

By the way, I've just added such a feature to kmod for us:

https://github.molgen.mpg.de/mariux64/kmod/compare/v34.2...v34.2-mpi

Previously, we experimented with a wrapper script for /proc/sys/kernel/modprobe:

https://github.molgen.mpg.de/mariux64/mxtools/pull/532

But this would guard only the modules requested by the kernel, not the modules
pulled in as dependencies. So I think we'll discontinue that approach and use
the kmod modification instead.

Best
Donald
-- 
Donald Buczek
buczek@...gen.mpg.de
Tel: +49 30 8413 1433

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.