Re: [PATCH] x86: Lock down MSR writing in secure boot
From: H. Peter Anvin
Date: Wed Feb 13 2013 - 17:25:40 EST
On 02/13/2013 11:55 AM, Paolo Bonzini wrote:
Il 13/02/2013 18:22, H. Peter Anvin ha scritto:
On non-x86 machines CAP_SYS_RAWIO is much less dangerous, especially
when coupled with file DAC.
Discretionary Access Control.
Either way, I think you are at best deluded and more like you just
completely wrong about CAP_SYS_RAWIO being "less dangerous on non-x86
machines". With the possible exception of s390 I suspect it is, in
fact, more dangerous.
I may well be wrong, but as a quick data point CAP_SYS_RAWIO has no
occurrences in arch/ except arch/x86. Of course a lot of driver
functionality will be limited to CAP_SYS_RAWIO, but usually this
requires having a file descriptor for some file.
Well, yes, although that could include /dev/mem.
-hpa
--
H. Peter Anvin, Intel Open Source Technology Center
I work for Intel. I don't speak on their behalf.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/