From: Prarit Bhargava prarit@redhat.com
mod-denylist.sh: Change to denylist
Change blacklist references to denylist.
v2: modprobe still uses blacklist
Suggested-by: Brian Masney bmasney@redhat.com Signed-off-by: Prarit Bhargava prarit@redhat.com
diff --git a/redhat/mod-denylist.sh b/redhat/mod-denylist.sh index blahblah..blahblah 100755 --- a/redhat/mod-denylist.sh +++ b/redhat/mod-denylist.sh @@ -10,28 +10,29 @@ Dir="$1/$2" List=$3 Dest="$4"
-blacklist() +denylist() { + # modprobe still uses the phrase 'blacklist' instead of 'denylist' cat > "$RpmDir/etc/modprobe.d/$1-blacklist.conf" <<-__EOF__ # This kernel module can be automatically loaded by non-root users. To - # enhance system security, the module is blacklisted by default to ensure + # enhance system security, the module is denylisted by default to ensure # system administrators make the module available for use as needed. # See https://access.redhat.com/articles/3760101 for more details. # - # Remove the blacklist by adding a comment # at the start of the line. + # Remove the denylist by adding a comment # at the start of the line. blacklist $1 __EOF__ }
-check_blacklist() +check_denylist() { mod=$(find "$RpmDir/$ModDir" -name "$1") [ ! "$mod" ] && return 0 if modinfo "$mod" | grep -q '^alias:\s+net-'; then mod="${1##*/}" mod="${mod%.ko*}" - echo "$mod has an alias that allows auto-loading. Blacklisting." - blacklist "$mod" + echo "Blocking $mod from auto-loading." + denylist "$mod" fi }
@@ -142,7 +143,7 @@ if [ -z "$Dest" ]; then sed -e "s|^.|${ModDir}|g" "$Dir"/dep2.list > "$RpmDir/$ListName" echo "./$RpmDir/$ListName created." [ -d "$RpmDir/etc/modprobe.d/" ] || mkdir -p "$RpmDir/etc/modprobe.d/" - foreachp check_blacklist < "$List" + foreachp check_denylist < "$List" fi
# Many BIOS-es export a PNP-id which causes the floppy driver to autoload @@ -152,7 +153,7 @@ fi
floppylist=("$RpmDir"/"$ModDir"/kernel/drivers/block/floppy.ko*) if [[ -n ${floppylist[0]} && -f ${floppylist[0]} ]]; then - blacklist "floppy" + denylist "floppy" fi
# avoid an empty kernel-extra package
-- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1185
On 6/29/21 9:51 AM, Prarit Bhargava (via Email Bridge) wrote:
-check_blacklist() +check_denylist() { mod=$(find "$RpmDir/$ModDir" -name "$1") [ ! "$mod" ] && return 0 if modinfo "$mod" | grep -q '^alias:\s+net-'; then mod="${1##*/}" mod="${mod%.ko*}"
echo "$mod has an alias that allows auto-loading. Blacklisting."
blacklist "$mod"
echo "Blocking $mod from auto-loading."
denylist "$mod"
Just a quick note here. I made this change because I'm not 100% sure "denylisting" is a word. I can be easily convinced to change the message to
$mod has an alias that allows auto-loading. Denylisting.
P.
From: Brian Masney on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1185#note_6144355...
Acked-by: Brian Masney bmasney@redhat.com (via approve button)
From: Justin M. Forbes on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1185#note_6145244...
Is this actually a `denylist` or a `disablelist`? This looks like a list for
disabling modules...
Or a list of modules to deny the privilege to load.
From: Justin M. Forbes on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1185#note_6145769...
Yeah, but what's actually *intuitive*? I don't think calling it a `denylist`
makes sense. In this case, it's an enable/disable list.
Intuitive to a reader who doesn't ever deal with code, or intuitive to developers who have been paying attention to the inclusivity initiatives, as documented in the kernel itself (Documentation/process/coding-style.rst) where denylist is specifically called out as a replacement for blacklist, and "disablelist" does not get mentioned at all?
From: Herton R. Krzesinski on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1185#note_6146899...
I think would be good to change ```$1-blacklist.conf``` to ```$1-denylist.conf``` here.
From: Prarit Bhargava on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1185#note_6164220...
I assumed that it had to end in blacklist.conf but I see now that the code only looks *in* the file for a blacklist entry. I tested this by blacklisting the skx_edac driver, rebooting, and confirming that the skx_edac module did not load.
``` [08:41 AM root@intel-purley-04 ~]# cat /etc/modprobe.d/skx_edac-denylist.conf blacklist skx_edac [08:42 AM root@intel-purley-04 ~]# lsmod | grep skx ```
I will fix this in v3.
kernel@lists.fedoraproject.org