On Tue, Nov 28, 2017 at 04:18:59PM -0800, Kees Cook wrote: > There's also a difference between immutable CONFIG options that cannot > be disabled at runtime, those that can, global sysctls, per-namespace > controls, etc etc. The kernel is all about providing admins with knobs > to tweak their performance and security. Suddenly being told that we > can't create optional improvements is very odd.
I just think that tweakable knobs are mostly pointless. From my experience the number of sysadmins that adjust knobs is ***tiny***[1]. Put another way, the effort to determine whether tweaking a knob will result in breakages or will be safe is as much work as creating a white list of modules that are allowed to be loaded. [1] And I say that having providing a lot of knobs for ext4. :-) This is why some on the kernel-hardening list have argued for making the default to be opt-out, which means some users will be breaken (and their answer to that seems to be, "oh well --- gotta break some eggs to make an omlette". Sucks if you're one of the eggs, though.) And I don't see how systemd magically means no one will be broken. If you have a non-root process trying to invoke a line discpline which has to be loaded as a module, if you flip the switch, that process will be broken. How does using systemd make the problem go away? - Ted