From nobody Fri Jan 03 00:56:53 2025 X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YPQC350SBz5kC3H for ; Fri, 03 Jan 2025 00:57:03 +0000 (UTC) (envelope-from SRS0=rg+p=T3=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4YPQC30cP8z4LQN; Fri, 3 Jan 2025 00:57:03 +0000 (UTC) (envelope-from SRS0=rg+p=T3=quip.cz=000.fbsd@elsa.codelab.cz) Authentication-Results: mx1.freebsd.org; none Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 38EE4D7897; Fri, 3 Jan 2025 01:56:55 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quip.cz; s=private; t=1735865815; bh=AVImaJT78/DfWbWki+iayNjnIqynzsYIOSbBm/XBzds=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=MgBtKfZSqtME0IadgEQEwYxIecEWJKUos0qYeoGJgG1R68V1Yq7wWazUVYlnBTTBY eZECBlzGr2r/kcszS7k4IUMdy6NrmevexoGCkmJq8We/oLM8bZ6FD1rfqK9O7nIUR/ uL9VTJF5UjwrO29tJxBhAAfMrZzWW6p8qaxcr2Lo= Received: from [192.168.145.49] (ip-89-177-27-225.bb.vodafone.cz [89.177.27.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 1368FD788A; Fri, 3 Jan 2025 01:56:53 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quip.cz; s=private; t=1735865814; bh=AVImaJT78/DfWbWki+iayNjnIqynzsYIOSbBm/XBzds=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=IocOYy8k1oCfoHJOnfwVChPRh37OLd0RaZESUCcNP7EshxUMS3ZCq6fp+FZ3PtJet ZRFnzRAwETPdjkVlRP4Xj8cztQ8jYHT5SQbdS5Qh+S47p4pOnpt4FtN1mGY9nkJxm8 KWQaN4e/D7VVBeDimOcbPp9qHEA5vlNI/Yb1h+5A= Message-ID: Date: Fri, 3 Jan 2025 01:56:53 +0100 List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-stable@freebsd.org Sender: owner-freebsd-stable@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Should kernel modules be executable? To: Zhenlei Huang , =?UTF-8?Q?Dag-Erling_Sm=C3=B8rgrav?= Cc: FreeBSD-STABLE Mailing List , hrant@dadivanyan.net References: <5120eb91-86c1-4c60-8d73-cbc46689669a@quip.cz> <10B8CED2-104F-4047-AED0-2B270CECB258@FreeBSD.org> <8634i1r3f9.fsf@ltc.des.dev> <1CF31C37-9177-4267-8387-2E5089DDC2F9@FreeBSD.org> Content-Language: en-US From: Miroslav Lachman <000.fbsd@quip.cz> In-Reply-To: <1CF31C37-9177-4267-8387-2E5089DDC2F9@FreeBSD.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4YPQC30cP8z4LQN X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; TAGGED_FROM(0.00)[p=T3=quip.cz=000.fbsd]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ] On 02/01/2025 11:15, Zhenlei Huang wrote: > > >> On Jan 2, 2025, at 5:05 PM, Dag-Erling Smørgrav wrote: >> >> Zhenlei Huang writes: >>> Miroslav Lachman <000.fbsd@quip.cz> writes: >>>> Previously there were about 25 files with permission r-xr-xr-x and >>>> 871 with other permissions (mainly -r--r--r--). >>>> But on the FreeBSD 14.2 (upgraded by freebsd-update), there are 809 >>>> files with r-xr-xr-x permission and only 66 with other permissions >>>> (63 with r--r--r--) >>> Yes, indeed. The permission of kernel modules was changed from 555 to >>> KMODMODE ( NOBINMODE, 444 ). See https://reviews.freebsd.org/D42768 >>> for more context. >> >> And yet the observed change is the opposite. >> >> Looking at a 14.2 kernel tarball, the modules are not executable, but on >> a 14.2 system updated from an earlier release using freebsd-update, they >> are. > > I also observed this. `freebsd-upgrade IDS` reported the issue and I manually fixed the *wrong* permissions. Thanks to all who replied. I upgraded another machine from 13.3 to 14.2 and checked everything before and after upgrade. If the modules were read only in 13.3, they are read only after the upgrade. So the ones that are executable were executable before the upgrade too and the upgrade did not "fix" the permissions on them. I will manually set 0444 on modules on all machines. Kind regards Miroslav Lachman