From owner-freebsd-questions@freebsd.org  Thu May  4 13:56:08 2017
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A8614D5C7C8
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Thu,  4 May 2017 13:56:08 +0000 (UTC)
 (envelope-from vince@unsane.co.uk)
Received: from vm.unsane.co.uk (unsane-pt.tunnel.tserv5.lon1.ipv6.he.net
 [IPv6:2001:470:1f08:110::2])
 by mx1.freebsd.org (Postfix) with ESMTP id 7C454A46
 for <freebsd-questions@freebsd.org>; Thu,  4 May 2017 13:56:08 +0000 (UTC)
 (envelope-from vince@unsane.co.uk)
Received: from vhoffman.lon.namesco.net (lon.namesco.net [195.7.254.102])
 by vm.unsane.co.uk (Postfix) with ESMTPSA id 44D2A30167
 for <freebsd-questions@freebsd.org>; Thu,  4 May 2017 14:56:01 +0100 (BST)
Subject: Re: Stop ZFS/opensolaris from autoloading?
To: freebsd-questions@freebsd.org
References: <alpine.BSF.2.20.1704301614190.9510@prime.gushi.org>
From: Vincent Hoffman-Kazlauskas <vince@unsane.co.uk>
Message-ID: <89f7e963-56fe-11c0-d78a-cdb21d253cb1@unsane.co.uk>
Date: Thu, 4 May 2017 14:56:00 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0)
 Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <alpine.BSF.2.20.1704301614190.9510@prime.gushi.org>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2017 13:56:08 -0000



On 01/05/2017 00:17, Dan Mahoney wrote:
> All,
> 
Hi,

> Short of renaming the modules (which breaks upgrades and is
> unpredictable) is there any easy way to stop a system from auto-loading
> the ZFS modules?
> 
> We've got some memory-constrained systems and the concept of "modules
> that load themselves" somewhat bugs me.

reasonably enough, Howver I think that the only way to do this withouth
deleting/renaming the kernel modules would be to set
kern_securelevel_enable=1   (or greater) in rc.conf or use
sysctl kern.securelevel=1
These are the same thing but adding to rc.conf makes it permement.
Have a read of man 7 security, specifically the
"SECURING THE KERNEL CORE, RAW DEVICES, AND FILE SYSTEMS"
section first though as it does other things you may not want.
Also one you have set a secure mode you are stuck with it till reboot

[root@vm ~]# sysctl kern.securelevel=1
kern.securelevel: -1 -> 1
[root@vm ~]# zpool status
internal error: failed to initialize ZFS library
[root@vm ~]# sysctl kern.securelevel=0
kern.securelevel: 1
sysctl: kern.securelevel=0: Operation not permitted

Vince

> 
> I'd rather "zpool status" (which is often called by things like Facter)
> simply return an error than load a kernel module that will never be used.
> 
> -Dan
>