On 5/16/26 17:09, Bernhard R. Link wrote:
Security wise, supporting allow-lists instead of only deny-lists would make it easier for systems where you know beforehand what you want (I guess many server systems might end up in there). Of course you can just load everything and disable module loading, but then you'll need a restart whenever what you load needs to be changed.
By the way, I've just added such a feature to kmod for us: https://github.molgen.mpg.de/mariux64/kmod/compare/v34.2...v34.2-mpi Previously, we experimented with a wrapper script for /proc/sys/kernel/modprobe: https://github.molgen.mpg.de/mariux64/mxtools/pull/532 But this would guard only the modules requested by the kernel, not the modules pulled in as dependencies. So I think we'll discontinue that approach and use the kmod modification instead. Best Donald -- Donald Buczek [email protected] Tel: +49 30 8413 1433
