Re: [PATCH 2/2] ACPI: Override arbitrary ACPI tables via initrd fordebugging
From: Alan Cox
Date: Mon Sep 24 2012 - 05:17:15 EST
> The issue is/was, that root can inject code at runtime which is then
> executed in kernel environment.
Yes there are lots of other ways to do this too. The constraint we use
for it is CAP_SYS_RAWIO. With that capability you can totally do raw
hardware access and the like so requiring it for runtime ACPI updating
and execution is consistent with the security model.
> Afaik there are "security" provisions or say setups, which do
> hide modprobe/insmod and do not allow root to load any kernel drivers
> or similar.
To do this you have to revoke CAP_SYS_RAWIO.
Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/