On Fri, May 15, 2026 at 07:20:19PM +0200, Michal Gorlas wrote: > Add CONFIG_MODULE_RESTRICT_AUTOLOAD and modrestrict parameter > documentation. > > Signed-off-by: Michal Gorlas <[email protected]> > --- > Documentation/admin-guide/kernel-parameters.txt | 5 +++++ > kernel/module/Kconfig | 15 +++++++++++++++ > 2 files changed, 20 insertions(+) > > diff --git a/Documentation/admin-guide/kernel-parameters.txt > b/Documentation/admin-guide/kernel-parameters.txt > index 03a550630644..1013104f0943 100644 > --- a/Documentation/admin-guide/kernel-parameters.txt > +++ b/Documentation/admin-guide/kernel-parameters.txt > @@ -4185,6 +4185,11 @@ Kernel parameters > For details see: > > Documentation/admin-guide/hw-vuln/processor_mmio_stale_data.rst > > + modrestrict=<bool> > + Control the restriction of module auto-loading to > + CAP_SYS_ADMIN. If no <bool> value is specified, this > + is set to the value of CONFIG_MODULE_RESTRICT_AUTOLOAD.
Doesn't this default to true if no bool value is specified? It only uses the config if modrestrict is not passed to the kernel at all. > <module>.async_probe[=<bool>] [KNL] > If no <bool> value is specified or if the value > specified is not a valid <bool>, enable asynchronous > diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig > index 43b1bb01fd27..c9e01bb848c0 100644 > --- a/kernel/module/Kconfig > +++ b/kernel/module/Kconfig > @@ -337,6 +337,21 @@ config MODULE_SIG_HASH > > endif # MODULE_SIG || IMA_APPRAISE_MODSIG > > +config MODULE_RESTRICT_AUTOLOAD > + bool "Restrict module auto-loading to privileged users" > + default n You don't need to specify default n here. Also, I think you can just squash the two patches. There's no benefit in splitting the config/documentation into a separate patch. Sami
