Oliver Pitzeier wrote <[email protected]> wrote:
> Herbert P?tzl <[email protected]> wrote:
> [ ... ]
> > hmm, how will you avoid creation of special (devicenodes)
> > files if I have raw access to any partition? I can 'simply'
> > use xxd to create my special inodes on the medium ... and I
> > would not care if mount is enabled or not when I wipe the
> > root partition with dd ...
>
> AFAIK, there are possibilities to deny _RAW_ access to
> partitions, while in a chroot-jail... If not, I'll tell the
> grsec-team to implement a new feature. :)
I had contact to one of the grsec folks. He told me that it IS
possible, if you have enabled the ACL system...
The original mail he sent me was:
> I noticed your lkml post. grsecurity will indeed deny raw
> access to block devices in a chroot, but only if the ACL
> system is enabled.
Herbert, I hope that helps? :)
Best regards,
Oliver