> On Feb 13, 2015, at 2:14 PM, Christos Zoulas <[email protected]> wrote: > > In article <[email protected]>, > Joerg Sonnenberger <[email protected]> wrote: >> >> I have asked the same question a long time ago when we pruned a bunch of >> other obsolete emulations. From a security stand point, I fully agree >> with Maxime. The usefulness of the FreeBSD emulation is *very* limited, >> it can't even handle most FreeBSD 4 binaries. I find it highly >> questionable to keep a non-trivial attack surface for the sake of a >> single device driver, which most people likely don't even have. I don't >> see any evidence in the tree of COMPAT_FREEBSD improving or any of the >> users of tw_cli working on improving the situation by removing the need >> for it. As such I find disabling COMPAT_FREEBSD by default a very good >> idea for increasing the visibility of the problem. Maybe someone who >> should be caring actually starts to... > > I agree with joerg here. I think that reducing the footprint of > GENERIC for the benefit of security is the right approach to this > matter... We have the ALL kernel to test compilation, and the > approach should be that GENERIC should be appropriate for all > "normal" uses and I think COMPAT_FREEBSD belongs in the "fringe" > users side (or at least in the limited number of users). I.e. > If you want to run FreeBSD binaries, you can build your own kernel.
Also, shouldn't the compat_freebsd module be autoloaded if you need it? If so, not having it in the kernel shouldn't really affect things.
