From: Chris Wright
Date: Thu May 13 2004 - 14:44:19 EST
* Andrew Morton (akpm@xxxxxxxx) wrote:
> Chris Wright <chrisw@xxxxxxxx> wrote:
> > What about something that's just simple and generic? This is similar to
> > Andrea's disable_cap_mlock patch and the disabling capabilities patch
> > that wli produced back in that thread. It would remove the hack, and
> > buy us some time to find better solutions. Downside of course (as all
> > of these have) is reduced security value.
Oops, I assumed the MODULE_PARAM_DESC was self-explanatory for a first
pass, sorry about that.
> I assume one does
> modprobe capability mask=32768
> and this squashes CAP_IPC_LOCK system-wide?
Yes, although I think you picked off the wrong bit ;-) (and I prefer hex)
modprobe capability mask=0x4000
or if CONFIG_SECURITY_MODULE=y, then boot param:
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/