Re: [PATCH 01/12] Security: Add CAP_COMPROMISE_KERNEL

From: Matthew Garrett
Date: Wed Mar 20 2013 - 12:49:44 EST


On Wed, 2013-03-20 at 12:41 -0400, Mimi Zohar wrote:

> Matthrew, perhaps you could clarify whether this will be tied to MAC
> security. Based on the kexec thread, I'm under the impression that is
> not the intention, or at least not for kexec. As root isn't trusted,
> neither is the boot command line, nor any policy that is loaded by root,
> including those for MAC.

The work done on signed initramfs fragments would seem to be the best
option here so far?

--
Matthew Garrett | mjg59@xxxxxxxxxxxxx
N‹§²æìr¸›yúèšØb²X¬¶ÇvØ^–)Þ{.nÇ+‰·¥Š{±‘êçzX§¶›¡Ü}©ž²ÆzÚ&j:+v‰¨¾«‘êçzZ+€Ê+zf£¢·hšˆ§~†­†Ûiÿûàz¹®w¥¢¸?™¨è­Ú&¢)ßf”ù^jÇy§m…á@A«a¶Úÿ 0¶ìh®å’i