Re: [PATCH] Fix dmesg_restrict build failure with CONFIG_EMBEDDED=yand CONFIG_PRINTK=n

From: James Morris
Date: Mon Nov 15 2010 - 17:59:41 EST

Next message: Jeff Law: "Re: gcc 4.5.1 / as 2.20.51.0.11 miscompiling drivers/char/i8k.c ?"
Previous message: Alexey Zaytsev: "Re: [PATCH] [RFC] fsnotify: Tell the user what part of the file mighthave changed"
In reply to: Eric Paris: "Re: [PATCH] Fix dmesg_restrict build failure withCONFIG_EMBEDDED=y and CONFIG_PRINTK=n"
Next in thread: Eric Paris: "Re: [PATCH] Fix dmesg_restrict build failure withCONFIG_EMBEDDED=y and CONFIG_PRINTK=n"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 15 Nov 2010, Eric Paris wrote:

> Not sure how that's possible. I mean, I guess it's possible if the
> fabled LSM reimplements the cap call, but I'm not sure how you can
> remove a restrictive only security check without 'weakening' the system
> in some way.

If generic security logic is mixed into a capability call, then not
implementing the cap call also loses the generic security logic.

e.g. dmesg_restrict should always be verified, regardless of whether
cap_security() is called or not.

If cap_syslog() should always be called, then it should not be possible
not not call it :-)

- James
--
James Morris
<jmorris@xxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jeff Law: "Re: gcc 4.5.1 / as 2.20.51.0.11 miscompiling drivers/char/i8k.c ?"
Previous message: Alexey Zaytsev: "Re: [PATCH] [RFC] fsnotify: Tell the user what part of the file mighthave changed"
In reply to: Eric Paris: "Re: [PATCH] Fix dmesg_restrict build failure withCONFIG_EMBEDDED=y and CONFIG_PRINTK=n"
Next in thread: Eric Paris: "Re: [PATCH] Fix dmesg_restrict build failure withCONFIG_EMBEDDED=y and CONFIG_PRINTK=n"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]