Re: 2.6.6-mm2

From: Chris Wright
Date: Thu May 13 2004 - 14:44:19 EST


* Andrew Morton (akpm@xxxxxxxx) wrote:
> Chris Wright <chrisw@xxxxxxxx> wrote:
> > What about something that's just simple and generic? This is similar to
> > Andrea's disable_cap_mlock patch and the disabling capabilities patch
> > that wli produced back in that thread. It would remove the hack, and
> > buy us some time to find better solutions. Downside of course (as all
> > of these have) is reduced security value.
>
> -ENODOCCO.

Oops, I assumed the MODULE_PARAM_DESC was self-explanatory for a first
pass, sorry about that.

> I assume one does
>
> modprobe capability mask=32768
>
> and this squashes CAP_IPC_LOCK system-wide?

Yes, although I think you picked off the wrong bit ;-) (and I prefer hex)

modprobe capability mask=0x4000

or if CONFIG_SECURITY_MODULE=y, then boot param:

capability.mask=0x4000

thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/