en-US/Revision_History.xml en-US/Security.xml
John J. McDonough
jjmcd at fedoraproject.org
Sat May 22 18:01:45 UTC 2010
en-US/Revision_History.xml | 14 ++++++++++++++
en-US/Security.xml | 38 --------------------------------------
2 files changed, 14 insertions(+), 38 deletions(-)
New commits:
commit 240269ebcc974a879eb61ef64586e1a51743d20a
Author: John J. McDonough <jjmcd at fedoraproject.org>
Date: Sat May 22 14:01:32 2010 -0400
Remove reference to modprobe whitelist BZ#594466
diff --git a/en-US/Revision_History.xml b/en-US/Revision_History.xml
index 7a19b51..d8c1256 100644
--- a/en-US/Revision_History.xml
+++ b/en-US/Revision_History.xml
@@ -7,6 +7,20 @@
<!-- revisions must be listed in reverse-chronological order -->
<revhistory>
<revision>
+ <revnumber>5</revnumber>
+ <date>Sat May 21 2010</date>
+ <author>
+ <firstname>John</firstname>
+ <surname>McDonough</surname>
+ <email>jjmcd at fedoraproject.org</email>
+ </author>
+ <revdescription>
+ <simplelist>
+ <member>Remove description of modprobe whitelist BZ#594466</member>
+ </simplelist>
+ </revdescription>
+ </revision>
+ <revision>
<revnumber>4</revnumber>
<date>Fri 14 May 2010</date>
<author>
diff --git a/en-US/Security.xml b/en-US/Security.xml
index b995fd0..b1d5dff 100644
--- a/en-US/Security.xml
+++ b/en-US/Security.xml
@@ -31,44 +31,6 @@
</para>
</section>
- <section>
- <title>modprobe Whitelist </title>
- <indexterm><primary>modprobe</primary></indexterm>
- <para>
- <application>modprobe</application> Whitelist allows system administrators
- in high-security situations to limit the modules loaded by
- <application>modprobe</application> to a specific list of modules
- configured by the administrator. This limit makes it impossible for unprivileged
- users to exploit vulnerabilities in modules that are not ordinarily used, for example,
- by attaching hardware. The amount of potentially
- vulnerable code that can run in the kernel is therefore limited.
- </para>
- <para>
- <application>modprobe</application> can also run specified commands
- instead of loading a module (using the <command>install</command>
- configuration directive); this is restricted using the same whitelist as
- well. To help system administrators compile the whitelist, additional
- functionality is added to <application>modprobe</application>: it will be
- possible to log all information (similar to using <command>modprobe -v</command>) to a specified file, including
- <application>modprobe</application> actions run in the <application>dracut</application> <filename>initrd</filename>. A
- script will be provided that compiles a proposed whitelist from the logged
- data.
- </para>
- <para>
- Use this whitelist to reduce the kernel-space attack surface considerably and avoid risk of
- vulnerabilities in rarely-used kernel-mode code. A sample desktop Fedora
- system currently has 79 modules loaded, out of 1964 available modules
- (4%). When counting code size, and the main kernel file (<filename>/boot/vmlinuz*</filename>)
- is included, the sample desktop system runs 8.36 MB of kernel-space code,
- out of 34.66 MB available (24%).
- </para>
- <para>
- Refer to the <citetitle>Modprobe
- Whitelist </citetitle> feature page on the Fedora wiki for a more complete
- description of this feature: <ulink
- url="http://fedoraproject.org/w/index.php?title=Features/ModprobeWhitelist"></ulink>
- </para>
- </section>
<section>
<title>User Account Dialog </title>
More information about the docs-commits
mailing list