On Thu, 6 Jan 2000, BIONDI Philippe wrote:
> I think the capabilities bounding set has a little weakness. Indeed,
> it is said that it can limit even superuser actions, but, as the
> cap_bset variable is exported, it is really easy to set it as you want
> through /dev/kmem.
> But it may be better to add a CAP_KMEM or sth like that to prevent
> anybody from writing /dev/kmem, even if it is also possible to write
> through /dev/mem, but protecting /dev/mem break a lot of apps (like
> X). Maybe a CAP_MEM for those who don't use X would be fine also.
It's called CAP_SYS_RAWIO. I fixed a number of problems with this
about six months ago.
It protects both mem and kmem, because either of them would be
usable to hand-hack kernel structures (though that kmem option is
easier).
Matthew.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Fri Jan 07 2000 - 21:00:05 EST