Re: [kernel-hardening] Re: [PATCH v5 next 5/5] net: modules: use request_module_cap() to load 'netdev-%s' modules
From: Linus Torvalds
Date: Tue Nov 28 2017 - 18:52:06 EST
On Tue, Nov 28, 2017 at 1:51 PM, Geo Kozey <geokozey@xxxxxxxxxxxxx> wrote:
>
> What about "we're insecure by default but you can't do anything to change this"? It describes current situation.
Go away, and don't send me patches until you have dug your head out of
whatever hole you have put it in..
If this is the kind of shit-headed responses I get from the
"hardening" list, then I don't want to have anything to do with you
guys.
Seriously.
I sent out a long explanation of what's wrong with the hardening
people last week. It made the news. If you still don't understand,
you're simply not worth working with.
If you cannot help improve kernel security for the default case, and
you can't even be bothered to try, and only want to fix some special
case that doesn't then improve anything at all for most people, I
really _really_ suggest you go play in your own sandbox.
Because clearly, if you're not interested in improving things for
anybody else, why the hell should you care about the upstream kernel
anyway?
That's what this boils down to: if you send me patches, you had better
strive to improve security for everybody, not just for some little
locked-down special case.
We're not grsecurity. We never have been. We're not interested in the
crazy people. We're interested in the kind of security that is
generally applicable.
To the mainline kernel, not breaking existing users matters, but it
also matters that the patches make sense for everybody, because
otherwise, why be mainline?
So a patch that avoids breaking existing users, but also doesn't
actually improve anything for existing users, simply shouldn't be part
of the mainline kernel.
Comprende?
Linus