Re: 2.6.6-mm2

From: Chris Wright
Date: Thu May 13 2004 - 14:44:19 EST

* Andrew Morton (akpm@xxxxxxxx) wrote:
> Chris Wright <chrisw@xxxxxxxx> wrote:
> > What about something that's just simple and generic? This is similar to
> > Andrea's disable_cap_mlock patch and the disabling capabilities patch
> > that wli produced back in that thread. It would remove the hack, and
> > buy us some time to find better solutions. Downside of course (as all
> > of these have) is reduced security value.

Oops, I assumed the MODULE_PARAM_DESC was self-explanatory for a first
pass, sorry about that.

> I assume one does
> modprobe capability mask=32768
> and this squashes CAP_IPC_LOCK system-wide?

Yes, although I think you picked off the wrong bit ;-) (and I prefer hex)

modprobe capability mask=0x4000

or if CONFIG_SECURITY_MODULE=y, then boot param:


Linux Security Modules
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at