1 |
On Sun, Mar 29, 2009 at 08:43, Alex Efros |
2 |
<powerman@××××××××××××××××××.com> wrote: |
3 |
> On servers I build kernel without module support. But on workstation it's |
4 |
> impossible to avoid using kernel modules: vmware-modules, nvidia-drivers... |
5 |
<snip> |
6 |
> |
7 |
> Is it have sense to patch /etc/vmware/init.d/vmware this way on hardened |
8 |
> systems in vmware ebuild by default? |
9 |
|
10 |
Opinion: module load prevention, like TPE, is an edge case of |
11 |
hardening - it has its place but its utility is sufficiently narrow |
12 |
that the majority of hardened users I know of don't use it. If you're |
13 |
that tightly controlled, you should be vetting the packages |
14 |
individually anyway, and should be able to add the patching as an |
15 |
acceptance-testing test. Controlling root (via a MAC or otherwise) |
16 |
may be a more tenable approach. |
17 |
|
18 |
FWIW, maintaining a local overlay repository is rather trivial and may |
19 |
be an option you want to pursue if you want to just maintain your own |
20 |
init scripts in a packaged form. If you do it well enough and in a |
21 |
reasonable manner that doesn't overly interfere with other uses for |
22 |
the package, you can probably submit it upstream and get it accepted. |