Re: [PATCH 2/2] x86: Allow disabling of sys_iopl, sys_ioperm

From: Alan Cox
Date: Thu Jul 14 2011 - 19:04:41 EST

Next message: Frederic Weisbecker: "Re: [PATCH 5/6] trace: Add tracepoints to call function interrupthandlers"
Previous message: Vaibhav Nagarnaik: "Re: [PATCH 5/6] trace: Add tracepoints to call function interrupt handlers"
In reply to: Mike Waychison: "Re: [PATCH 2/2] x86: Allow disabling of sys_iopl, sys_ioperm"
Next in thread: Mike Waychison: "Re: [PATCH 2/2] x86: Allow disabling of sys_iopl, sys_ioperm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > a) you can do this with a security module
>
> I can? How? The whole LSM approach seems intractable to me.

It would certainly need some trivial tweaking (to be specific we'd need
to move from capable(x) to capable_syscall(x, syscall_code) for those
interfaces that mattered, but that would probably be a good thing anyway
from the point of view of beating the capability model into something more
flexible and would help stuff like SELinux as well I think.

We have an underlying separation of security from the other details - we
really should keep it clean that way.

Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Frederic Weisbecker: "Re: [PATCH 5/6] trace: Add tracepoints to call function interrupthandlers"
Previous message: Vaibhav Nagarnaik: "Re: [PATCH 5/6] trace: Add tracepoints to call function interrupt handlers"
In reply to: Mike Waychison: "Re: [PATCH 2/2] x86: Allow disabling of sys_iopl, sys_ioperm"
Next in thread: Mike Waychison: "Re: [PATCH 2/2] x86: Allow disabling of sys_iopl, sys_ioperm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]