Re: another kconfig target for building monolithic kernel (forsecurity) ?

From: Arjan van de Ven
Date: Sun Apr 30 2006 - 09:24:04 EST


On Sun, 2006-04-30 at 14:31 +0200, devzero@xxxxxx wrote:
> hello !
>
> "Unfortunately, disabling /dev/mem will break many things, including X and potentially many other user-space programs"
> (-> http://lwn.net/2001/0419/security.php3 )

not if you do it carefully like we did for Fedora...

>
> "The /dev/mem and /dev/kmem character special files provide access to a pseudo device driver that allows read and write access to system memory or I/O address space. Typically, these special files are used by operating system utilities and commands (such as sar, iostat, and vmstat) to obtain status and statistical information about the system" (ok, this is for AIX, does this apply for linux, too? -> http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.doc/files/aixfiles/mem.htm )


/dev/kmem isn't used by much of anything except debugging, so having
that a config option is reasonable. for /dev/mem it's enough to disable
all access to 'what the kernel sees as RAM' with the lower 1Mb as
exception..

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/