On Tue, 2 May 2000 lamont@icopyright.com wrote:
> > - To properly secure immutable files you need to prevent updating the raw
> > block device. This is possible by banning CAP_MKNOD then _unlinking_ the
> > sensitive block device files.
>
> gotta be done after all the devices are fsck'd and mounted, also you need
> to re-mknod the devices as part of the bootsequence, then drop CAP_MKNOD.
I've one thing to add here - this "unlink block devices" inconvenience
disappears when we get the ability to put an immutable flag on a block
device. I think Al Viro had plans to sort this as part of his VFS
cleanups, but I expect it'll be a 2.5 thing.
Cheers
Chris
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun May 07 2000 - 21:00:11 EST