Re: Sealing the kernel

Aaron Sethman (androsyn@atomic-city.dev.powerize.com)
Tue, 26 Oct 1999 14:17:26 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: David Woodhouse: "Re: serial.c (half duplex support)"
Previous message: Alexandre Hautequest: "Re: Anyway to mknod from kernel?"

On Tue, 26 Oct 1999, Dimitris Margaritis wrote:
> Yes, John forgot to mention that we're assuming boot from a read-only
> media such as a write-protected floppy or CD-ROM. We also assume
> that the rc scripts, kernel, and all modules to be loaded at boot
> time (before of course the sealing module) also reside on that medium.
>
> About your last point, yes, root can do a lot of nasty things, but by
> sealing the kernel at least they are constrained to what's available
> through kernel services. That may help presumably by disabling a lot
> of stuff in the running kernel.
Or even a better idea, compile the kernel without module support all
together. Just hope that you don't have any of those blasted Plug and
Pray devices.

Aaron

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Woodhouse: "Re: serial.c (half duplex support)"
Previous message: Alexandre Hautequest: "Re: Anyway to mknod from kernel?"