Re: [PATCH 2/2] x86: Allow disabling of sys_iopl, sys_ioperm

[Alan Cox]

> > So lets turn the question around a moment - what breaks if you simply
> > take CAP_SYS_RAWIO away from everything ?
> >
> 
> Alright, I see your point.   ISTR that CAP_SYS_RAWIO was required for
> accessing block devices directly, but this doesn't seem to be the
> case.

Its needed for certain kinds of command issue (raw commands) but not I
believe raw block I/O

> I think the approach I'll try next is to try and drop it with
> PR_CAPBSET_DROP from early userspace's init.
> 
> Any other vectors you would suggest to keep the kiddies away?

/dev/mem /dev/kmem (which do have options to clamp down on)
module loading you have down

GPU if you don't need any graphics. Not so much because its a specific
threat area but because its a large exposure.

For media there are exploit paths to consider where an attacker rewrites
the boot media and reboots. If you need raw disk I/O those are a spot
harder to mend.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/