Re: [PATCH 2/2] ACPI: Override arbitrary ACPI tables via initrd fordebugging

From: Alan Cox
Date: Mon Sep 24 2012 - 05:17:15 EST

Next message: Stephen Rothwell: "linux-next: manual merge of the arm-soc tree with the fbdev tree"
Previous message: Tomasz Stanislawski: "Re: [PATCH v2] drivers/media/platform/s5p-tv/sdo_drv.c: fix errorreturn code"
In reply to: Thomas Renninger: "Re: [PATCH 2/2] ACPI: Override arbitrary ACPI tables via initrd for debugging"
Next in thread: Thomas Renninger: "[PATCH] ACPI: Only allow users with CAP_SYS_RAWIO rights to overwrite ACPI funcs at runtime"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> The issue is/was, that root can inject code at runtime which is then
> executed in kernel environment.

Yes there are lots of other ways to do this too. The constraint we use
for it is CAP_SYS_RAWIO. With that capability you can totally do raw
hardware access and the like so requiring it for runtime ACPI updating
and execution is consistent with the security model.

> Afaik there are "security" provisions or say setups, which do
> hide modprobe/insmod and do not allow root to load any kernel drivers
> or similar.

To do this you have to revoke CAP_SYS_RAWIO.

Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Stephen Rothwell: "linux-next: manual merge of the arm-soc tree with the fbdev tree"
Previous message: Tomasz Stanislawski: "Re: [PATCH v2] drivers/media/platform/s5p-tv/sdo_drv.c: fix errorreturn code"
In reply to: Thomas Renninger: "Re: [PATCH 2/2] ACPI: Override arbitrary ACPI tables via initrd for debugging"
Next in thread: Thomas Renninger: "[PATCH] ACPI: Only allow users with CAP_SYS_RAWIO rights to overwrite ACPI funcs at runtime"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]