Re: 2.6.6-mm2

From: Chris Wright
Date: Thu May 13 2004 - 14:44:19 EST

Next message: Felipe Alfaro Solana: "Re: [PATCH] AES i586 optimized (oops)"
Previous message: Jeff Garzik: "Re: MSEC_TO_JIFFIES is messed up..."
In reply to: Andrew Morton: "Re: 2.6.6-mm2"
Next in thread: Andrew Morton: "Re: 2.6.6-mm2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Andrew Morton (akpm@xxxxxxxx) wrote:
> Chris Wright <chrisw@xxxxxxxx> wrote:
> > What about something that's just simple and generic? This is similar to
> > Andrea's disable_cap_mlock patch and the disabling capabilities patch
> > that wli produced back in that thread. It would remove the hack, and
> > buy us some time to find better solutions. Downside of course (as all
> > of these have) is reduced security value.
>
> -ENODOCCO.

Oops, I assumed the MODULE_PARAM_DESC was self-explanatory for a first
pass, sorry about that.

> I assume one does
>
> modprobe capability mask=32768
>
> and this squashes CAP_IPC_LOCK system-wide?

Yes, although I think you picked off the wrong bit ;-) (and I prefer hex)

modprobe capability mask=0x4000

or if CONFIG_SECURITY_MODULE=y, then boot param:

capability.mask=0x4000

thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Felipe Alfaro Solana: "Re: [PATCH] AES i586 optimized (oops)"
Previous message: Jeff Garzik: "Re: MSEC_TO_JIFFIES is messed up..."
In reply to: Andrew Morton: "Re: 2.6.6-mm2"
Next in thread: Andrew Morton: "Re: 2.6.6-mm2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]