> 4) don't allow write access to /dev/[k]mem if securelevel>0. there are
> other securelevel insecurities, but this one makes it *so* easy to
> circumvent that we might as well not have securelevels at all.
>
> I'm not much of a kernel hacker so I won't touch #1 or #2, but I can
> try to make patches for #3 and #4 if there's interest...
Hi,
I've had a bash at #4. The patch is an additional patch on top of the
linux-privs work (which appears to be working nicely!)
As well as /dev/kmem, there are kernel module loading banning, iopl(),
ioperm() restrictions, ban on writes to block devices, protection of init,
protection of immutable files, protection of r/o partitions. Probably more
that I've forgotten. It all seemed to work too...
Check out
And follow the Orange-Linux -> Linux-privs links.
Cheers
Chris