Re: disable-cap-mlock

From: William Lee Irwin III
Date: Thu Apr 01 2004 - 12:57:32 EST

Next message: tbeg: "Max size of buffer shared between kernel and user application?"
Previous message: Marc-Christian Petersen: "Re: disable-cap-mlock"
In reply to: Marc-Christian Petersen: "Re: disable-cap-mlock"
Next in thread: Stephen Smalley: "Re: disable-cap-mlock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thursday 01 April 2004 19:44, William Lee Irwin III wrote:
>> I'm aware it does some very unintelligent things to the security model,
>> e.g. anyone with fs-level access to these things can basically escalate
>> their capabilities to "everything". Maybe some kind of big fat warning
>> is in order.

On Thu, Apr 01, 2004 at 07:52:29PM +0200, Marc-Christian Petersen wrote:
> hmm, maybe a /proc/sys/capability/lock and if set to 1 you can't
> change any of the sysctl variables, even root should not be allowed
> to change lock back, until you do a reboot. Practical?
> ciao, Marc

Feasible, though it's an open question as to how many hoops we should
jump through to prevent people from shooting themselves in the foot.

Maybe Steven could recommend adjustments and/or give some idea as to
whether the above would be useful.

-- wli
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: tbeg: "Max size of buffer shared between kernel and user application?"
Previous message: Marc-Christian Petersen: "Re: disable-cap-mlock"
In reply to: Marc-Christian Petersen: "Re: disable-cap-mlock"
Next in thread: Stephen Smalley: "Re: disable-cap-mlock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]