On Sun, 3 Aug 2003, Andrew Morton wrote:
> bert hubert <ahu@ds9a.nl> wrote:
> >
> > as one of the 'tastemasters', what are your thoughts on doing this
> > dynamically? The sigsegv option might be a dynamic option?
>
> who, me? umm...
>
> I can see that a patch like this would have a place in a general
> security-hardened kernel: one which closes off all the means by which root
> can alter the running kernel.
>
> But that's a specialised thing which interested parties can maintain as a
> standalone patch, and bringing just one part of it into the main kernel
> seems rather arbitrary.
why not bring the other parts in as options as well?
I can understand not bringing in all the external security modules that
want to regulate access to everything else (full capabilities, etc) but
locking down the kernel itself to prevent it from being modified seems
like something that would have a place on most servers, possibly also on
desktops that aren't dynamicly adding hardware (probably not that useful
for many laptop users for this reason)
we already have the option to not support modules (as Alan Cox points out
every time that subject comes up it can be bypassed by people who have
access to /dev/*mem) so it would seem that adding the option to bar access
to /dev/*mem as well would make exisitng config options mean what they
appear to mean.
David Lang
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Aug 07 2003 - 22:00:22 EST