On Sun, Mar 29, 2009 at 08:43, Alex Efros <[email protected]> wrote: > On servers I build kernel without module support. But on workstation it's > impossible to avoid using kernel modules: vmware-modules, nvidia-drivers... <snip> > > Is it have sense to patch /etc/vmware/init.d/vmware this way on hardened > systems in vmware ebuild by default?
Opinion: module load prevention, like TPE, is an edge case of hardening - it has its place but its utility is sufficiently narrow that the majority of hardened users I know of don't use it. If you're that tightly controlled, you should be vetting the packages individually anyway, and should be able to add the patching as an acceptance-testing test. Controlling root (via a MAC or otherwise) may be a more tenable approach. FWIW, maintaining a local overlay repository is rather trivial and may be an option you want to pursue if you want to just maintain your own init scripts in a packaged form. If you do it well enough and in a reasonable manner that doesn't overly interfere with other uses for the package, you can probably submit it upstream and get it accepted.
