Re: A system for rebootless kernel security updates

[Enrico Weigelt]

* Jeff Arnold <jbarnold@xxxxxxx> wrote:

Hi,

> I'm willing to undertake the project of bringing the code up to kernel 
> coding standards so that it can eventually be considered for mainline. 
> I'll plan on undertaking this project if I don't receive feedback that I 
> shouldn't do so.

Great think :)
I'd actually like to see it mainline tree (I prefer vanilla kernel
instead of distro specific). 

> If people have concerns about the high-level design of the system, it 
> would be useful for me to know that information sooner rather than later.

I didn't have the time for an deeper study yet, but as you already
mentioned, there're lots of limitations which can make it harmful:
as soon as interfaces chance, you're in *big* trouble. There should
be a way for finding them (automatically). Maybe extract the 
interface signatures (including structs!) so some appropriate place
next to the kernel, so they can be checked before (re)loading the
module.

Ah, of course you can't change code that's not an dynamic module :(


Even this goes OT now - I'd really prefer more things in userland,
eg. network- or synthetic filesystems, crypt stuff, etc - so 
there would be less to update within the kernel ;-o

cu
-- 
---------------------------------------------------------------------
 Enrico Weigelt    ==   metux IT service - http://www.metux.de/
---------------------------------------------------------------------
 Please visit the OpenSource QM Taskforce:
 	http://wiki.metux.de/public/OpenSource_QM_Taskforce
 Patches / Fixes for a lot dozens of packages in dozens of versions:
	http://patches.metux.de/
---------------------------------------------------------------------
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/