Re: [PATCH 2/2] x86: Allow disabling of sys_iopl, sys_ioperm
From: Alan Cox
Date: Thu Jul 14 2011 - 19:04:41 EST
> > a) you can do this with a security module
>
> I can? How? The whole LSM approach seems intractable to me.
It would certainly need some trivial tweaking (to be specific we'd need
to move from capable(x) to capable_syscall(x, syscall_code) for those
interfaces that mattered, but that would probably be a good thing anyway
from the point of view of beating the capability model into something more
flexible and would help stuff like SELinux as well I think.
We have an underlying separation of security from the other details - we
really should keep it clean that way.
Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/