Opened 6 years ago

Closed 6 years ago

#10205 closed enhancement (fixed)

Package Management file blacklist

Reported by: kallisti5 Owned by: bonefish
Priority: normal Milestone: Unscheduled
Component: - General Version: R1/Development
Keywords: Cc:
Blocked By: Blocking:
Has a Patch: no Platform: All

Description (last modified by kallisti5)

We should seriously consider a blacklist for PM. This would enable users to disable kernel drivers, add-ons, and translators.

maybe a ~/config/settings/blacklist config file?

Change History (8)

comment:1 Changed 6 years ago by kallisti5

On the GUI, as axel said in #10202:

"Kernel settings are something that should have no use for 99.9% of the users. It's definitely not happening as part of Haiku. IOW a perfect 3rd party opportunity :-)"

comment:2 Changed 6 years ago by bonefish

Something like this is already on my (virtual) TODO list, though in a more general manner. I was thinking of a settings file (a global one in the concerned installation location) that would allow to blacklist files in packages. packagefs would then simply skip those files and not publish them. This would not only take care of drivers, but any file (add-on, library) that may cause trouble.

A similar feature (i.e. the functionality to select those files) would be needed in the boot loader menu.

comment:3 Changed 6 years ago by kallisti5

that would also work. I was looking into the kernel level driver blacklist, and it would need to be added to src/system/kernel/module.cpp. "~load_module_image()" Having a separate blacklist file is a pain. If we did go with a kernel setting, using the normal kernel safemode settings would be easier. (then we could easily add a "blacklist" XXXXXXXXXX field on the boot menu. (it would operate like the other safemode settings, space separated list of modules to not load)

comment:4 Changed 6 years ago by bonefish

Well, we need a method to disable other files than drivers (e.g. translators: #7785) anyway, since having users edit packages is not really a reasonable option. It is also necessary -- or at least more convenient -- if you want to permanently replace a driver in the Haiku system package with an equally named different one. My suggested solution is fairly simple to implement and I don't think a separate settings file would be a big deal. It should be a very rarely used feature anyway.

comment:5 Changed 6 years ago by kallisti5

Description: modified (diff)
Owner: changed from nobody to bonefish
Status: newassigned
Summary: Kernel driver add-on blacklistPackage Management file blacklist

comment:6 Changed 6 years ago by kallisti5

One benefit of PM was that as /boot/system was read only it improved os security, etc. If files in packages can be blacklisted, in theory nefarious binaries could take the place of legitimate system files / libraries through the non-packaged directories. (then again, I think non-packaged stuff overrides system files anyway at the moment... so that may be a moot point)

comment:7 Changed 6 years ago by bonefish

My intention is to have a blacklist (or more generally: package settings) file per installation location (if needed). I.e. the package content of /boot/system could only be manipulated via /boot/system/settings/packages. The file would have the same (i.e. root/admin only) permissions as /boot/system/packages. So from a system security POV it wouldn't really change anything -- if you can modify the settings file, you could just as well modify/replace the packages themselves.

comment:8 Changed 6 years ago by bonefish

Resolution: fixed
Status: assignedclosed

Implemented in hrev46394.

Note: See TracTickets for help on using tickets.