From: Stephen Smalley
Date: Thu Apr 01 2004 - 13:49:09 EST
On Thu, 2004-04-01 at 12:54, William Lee Irwin III wrote:
> On Thu, Apr 01, 2004 at 07:52:29PM +0200, Marc-Christian Petersen wrote:
> > hmm, maybe a /proc/sys/capability/lock and if set to 1 you can't
> > change any of the sysctl variables, even root should not be allowed
> > to change lock back, until you do a reboot. Practical?
> > ciao, Marc
> Feasible, though it's an open question as to how many hoops we should
> jump through to prevent people from shooting themselves in the foot.
> Maybe Steven could recommend adjustments and/or give some idea as to
> whether the above would be useful.
Some form of control over changing the sysctl settings (beyond just the
mode) should be provided; otherwise, the module is too unsafe by itself
for real use, and you can't assume that people will only use it stacked
with SELinux (which could control such changes). Allowing the settings
to be locked as mcp suggested sounds simple and sufficient for the
proposed use; they can disable their desired capability and then lock in
/sbin/init. For greater generality, I'd suggest adding a new capability
to control the ability to set the capability sysctls, but then we are in
a vicious cycle...
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/