Re: [PATCH 01/12] Security: Add CAP_COMPROMISE_KERNEL
From: Matthew Garrett
Date: Wed Mar 20 2013 - 12:49:44 EST
On Wed, 2013-03-20 at 12:41 -0400, Mimi Zohar wrote:
> Matthrew, perhaps you could clarify whether this will be tied to MAC
> security. Based on the kexec thread, I'm under the impression that is
> not the intention, or at least not for kexec. As root isn't trusted,
> neither is the boot command line, nor any policy that is loaded by root,
> including those for MAC.
The work done on signed initramfs fragments would seem to be the best
option here so far?
Matthew Garrett | mjg59@xxxxxxxxxxxxx