Re: [PATCH] Allow /dev/{,k}mem to be disabled to prevent kernel from being modified easily

From: Alan Cox (alan@lxorguk.ukuu.org.uk)
Date: Mon Aug 04 2003 - 08:10:42 EST

Next message: Stephan von Krawczynski: "Re: FS: hardlinks on directories"
Previous message: Jesse Pollard: "Re: TOE brain dump"
In reply to: bert hubert: "Re: [PATCH] Allow /dev/{,k}mem to be disabled to prevent kernel from being modified easily"
Next in thread: Matan Ziv-Av: "Re: [PATCH] Allow /dev/{,k}mem to be disabled to prevent kernel from being modified easily"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sul, 2003-08-03 at 22:47, bert hubert wrote:
> As to what Alan said about LSM, I've yet to see how to do that in a
> reasonable way. But I didn't look too hard.

Just refuse anything needing CAP_SYS_RAWIO at all times. Thats why this
capability flag exists. Or with SELinux you can create a role which has
RAWIO access but is very limited in other ways (eg "Only my X server",
or "only the firmware loader for my serial card") and which is tainted
if anything else touches those files

Alan

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Stephan von Krawczynski: "Re: FS: hardlinks on directories"
Previous message: Jesse Pollard: "Re: TOE brain dump"
In reply to: bert hubert: "Re: [PATCH] Allow /dev/{,k}mem to be disabled to prevent kernel from being modified easily"
Next in thread: Matan Ziv-Av: "Re: [PATCH] Allow /dev/{,k}mem to be disabled to prevent kernel from being modified easily"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Thu Aug 07 2003 - 22:00:23 EST