If an official procedure to disable the driver completely is documented and hosted from an official debian server it would be, in my opinion, an acceptable solution.
Users would have a copy-pastable procedure to disable HFS if the risk is intolerable to them, sysadmin would have an official page to explain why they disabled it and having users disabling a driver might add leverage to potential effort to port this file system support out of kernel with FUSE. Le vendredi 21 juillet 2023 à 09:20 +0100, Matthew Garrett a écrit : > On Thu, Jul 20, 2023 at 07:56:12PM +0200, Marco d'Itri wrote: > > Package: src:linux > > Severity: normal > > > > You are totally correct. > > Kernel team, please blacklist HFS/HFS+ for automounting. > > Isn't this a userland policy decision? udisks will happily trigger a > module load for hfsplus if udev has identified it, and I don't think > there's a trivial mechanism for the kernel to disable that. I > believe > the only way for the kernel to disable automounting would be to > disable > the drivers entirely (which we don't want to do), so this probably > needs > to be assigned elsewhere rather than being a linux bug. > > (Or, alternatively, we could move hfs(+) support to FUSE and provide > extremely tight seccomp policies around them, and then drop kernel > support, but even though this has been talked about a bunch I > haven't > seen anyone try to implement it) >
