[PATCH] disallow modular capabilities

From: Christoph Hellwig
Date: Sun Jan 02 2005 - 15:01:59 EST

Next message: Christoph Hellwig: "Re: [PATCH] disallow modular capabilities"
Previous message: Maciej Soltysiak: "starting with 2.7"
Next in thread: Christoph Hellwig: "Re: [PATCH] disallow modular capabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There's been a bugtraq report about a root exploit with modular
capabilities LSM support out for more than a week.

This patch fixes it the hard way by disallowing to build the code
modular. In fact I think allowing modular security policies is a
really, really bad idea because loading it after boot loses far
too much state. Would you take a patch killing the exports in
security/ ?

--- 1.10/security/Kconfig 2004-10-20 10:37:08 +02:00
+++ edited/security/Kconfig 2005-01-02 20:50:35 +01:00
@@ -54,7 +54,7 @@
If you are unsure how to answer this question, answer N.

config SECURITY_CAPABILITIES
- tristate "Default Linux Capabilities"
+ bool "Default Linux Capabilities"
depends on SECURITY
help
This enables the "default" Linux capabilities functionality.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Christoph Hellwig: "Re: [PATCH] disallow modular capabilities"
Previous message: Maciej Soltysiak: "starting with 2.7"
Next in thread: Christoph Hellwig: "Re: [PATCH] disallow modular capabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]