>>What about writing a small wrapper application that drops all
>>priveleges except CAP_RAWIO, switches to user to the user you want,
>>then execs the target application that needs to access /dev/kmem?
>
>
> I just tried this, but I didn't succeed. :-(
>
>
>>Or store the capabilities in the filesystem, but I don't know which
>>filesystem supports that.
>
>
> There's none so far.
>
Not exactly. Well, not really a filesystem. But there's already security
use of this feature you want to remove. Think LSM. Look at e.g. LIDS. Im
using this additional protection already under 2.4.x to prevent uid 0
processes to access /dev/mem and /dev/kmem where not explicitely
granted. Please, _don't_ remove the capability check because you don't
see any use for it as there _is_ already use for it.
-- Andreas Steinmetz D.O.M. Datenverarbeitung GmbH- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Oct 23 2002 - 22:00:35 EST