Re: [PATCH v2] kernel: add panic_on_taint

From: Rafael Aquini
Date: Thu May 07 2020 - 14:53:34 EST

Next message: Gustavo A. R. Silva: "[PATCH] locking/lockdep: Replace zero-length array with flexible-array"
Previous message: Gustavo A. R. Silva: "[PATCH] powerpc/mm: Replace zero-length array with flexible-array"
In reply to: Luis Chamberlain: "Re: [PATCH v2] kernel: add panic_on_taint"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, May 07, 2020 at 06:50:46PM +0000, Luis Chamberlain wrote:
> On Thu, May 07, 2020 at 02:06:31PM -0400, Rafael Aquini wrote:
> > Another, perhaps less frequent, use for this option would be
> > as a mean for assuring a security policy (in paranoid mode)
> > case where no single taint is allowed for the running system.
>
> If used for this purpose then we must add a new TAINT flag for
> proc_taint() was used, otherwise we can cheat to show a taint
> *did* happen, where in fact it never happened, some punk just
> echo'd a value into the kernel's /proc/sys/kernel/tainted.
>

To accomplish that, the punk would need to be root, though, in which
case everything else is doomed, already.

> Forunately proc_taint() only allows to *increment* the taint, not
> reduce.
>
> Luis
>

Next message: Gustavo A. R. Silva: "[PATCH] locking/lockdep: Replace zero-length array with flexible-array"
Previous message: Gustavo A. R. Silva: "[PATCH] powerpc/mm: Replace zero-length array with flexible-array"
In reply to: Luis Chamberlain: "Re: [PATCH v2] kernel: add panic_on_taint"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]