Re: [PATCH] x86: Lock down MSR writing in secure boot
From: Paolo Bonzini
Date: Wed Feb 13 2013 - 14:56:08 EST
Il 13/02/2013 18:22, H. Peter Anvin ha scritto:
>> On non-x86 machines CAP_SYS_RAWIO is much less dangerous, especially
>> when coupled with file DAC.
Discretionary Access Control.
> Either way, I think you are at best deluded and more like you just
> completely wrong about CAP_SYS_RAWIO being "less dangerous on non-x86
> machines". With the possible exception of s390 I suspect it is, in
> fact, more dangerous.
I may well be wrong, but as a quick data point CAP_SYS_RAWIO has no
occurrences in arch/ except arch/x86. Of course a lot of driver
functionality will be limited to CAP_SYS_RAWIO, but usually this
requires having a file descriptor for some file.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/