Andre Tomt wrote:
Linda Walsh wrote:
<snip>
To minimize
problems, I disable unused hardware, and all _used_ hardware
is compiled in (no module loading overhead, no chances for
arbitrary code insertion).
FYI, rootkits have been able to cope with inserting kernel code
without using the modules support for ages. It is only makes it
marginally harder.
---
True, but that's the point. People break into systems with
passwords. Just because passwords aren't 100% effective in
protecting systems doesn't mean we don't use them. :-)
The point is to "minimize" a vulnerability profile.
I'm wondering why unused code is required to be compiled
in to standard kernels. It seems very un-linux like -- more like
Windows that has support for everything compiled in.
Reducing code bloat is not just a good idea for embedded systems.
It's good for performance and security if for no other reason that
there are fewer lines that could go wrong. :-)
-l
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
