Re: [PATCH 01/12] Security: Add CAP_COMPROMISE_KERNEL
From: Matthew Garrett
Date: Wed Mar 20 2013 - 12:49:44 EST
On Wed, 2013-03-20 at 12:41 -0400, Mimi Zohar wrote:
> Matthrew, perhaps you could clarify whether this will be tied to MAC
> security. Based on the kexec thread, I'm under the impression that is
> not the intention, or at least not for kexec. As root isn't trusted,
> neither is the boot command line, nor any policy that is loaded by root,
> including those for MAC.
The work done on signed initramfs fragments would seem to be the best
option here so far?
--
Matthew Garrett | mjg59@xxxxxxxxxxxxx
N§²æìr¸yúèØb²X¬¶ÇvØ^)Þ{.nÇ+·¥{±êçzX§¶¡Ü}©²ÆzÚ&j:+v¨¾«êçzZ+Ê+zf£¢·h§~Ûiÿûàz¹®w¥¢¸?¨èÚ&¢)ßfù^jÇy§m
á@A«a¶Úÿ0¶ìh®åi