Re: Save 320K on production machines?

From: Linda Walsh
Date: Mon Mar 27 2006 - 05:02:23 EST


Andre Tomt wrote:
Linda Walsh wrote:
<snip>
To minimize
problems, I disable unused hardware, and all _used_ hardware
is compiled in (no module loading overhead, no chances for
arbitrary code insertion).

FYI, rootkits have been able to cope with inserting kernel code without using the modules support for ages. It is only makes it marginally harder.

---
True, but that's the point. People break into systems with
passwords. Just because passwords aren't 100% effective in
protecting systems doesn't mean we don't use them. :-)

The point is to "minimize" a vulnerability profile.
I'm wondering why unused code is required to be compiled
in to standard kernels. It seems very un-linux like -- more like
Windows that has support for everything compiled in.

Reducing code bloat is not just a good idea for embedded systems.
It's good for performance and security if for no other reason that
there are fewer lines that could go wrong. :-)

-l

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/