2.2 kernels have full capabilities for protecting removing immutable flags
and much more. The simpliest way to make a secure system is to have two
kernels. One vanilla, and second a little bit patched... just look at
theese lines in /usr/src/linux/include/linux/capability.h:
#define CAP_EMPTY_SET to_cap_t(0)
#define CAP_FULL_SET to_cap_t(~0)
#define CAP_INIT_EFF_SET to_cap_t(~0 & ~CAP_TO_MASK(CAP_SETPCAP))
#define CAP_INIT_INH_SET to_cap_t(~0 & ~CAP_TO_MASK(CAP_SETPCAP))
For secure kernel you can make something like:
#define CAP_FULL_SET to_cap_t(~0 & ~CAP_TO_MASK(CAP_SETPCAP) &
~CAP_TO_MASK(CAP_LINUX_IMMUTABLE))
So even root will not be able to remove immutable flags with this kernel.
Or there are more funny things... adding right here CAP_NET_RAW will
disable ability to run sniffers (and sending ping).
just look into that capability.h and you will find everything you can
tweak out =]
some more enteresting examples:
/* Allow ptrace() of any process */
#define CAP_SYS_PTRACE 19
huh, noone will able to trace processes.
/* Allow manipulation of system clock */
/* Allow irix_stime on mips */
/* Allow setting the real-time clock */
#define CAP_SYS_TIME 25
changing time is impossible any more :-)
There are other capabilities, that restrict accessing devices directly
etc. But theese cannot be restricted in kernel - they should be controlled
at boot time... But it is not impossible to change it in a running system
- using modules or just raw kernel image file. Then you can safely turn on
securebits and your system is invulnerable.
With respect,
Domas Mituzas
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/