Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933539Ab3CTQmp (ORCPT ); Wed, 20 Mar 2013 12:42:45 -0400 Received: from e35.co.us.ibm.com ([32.97.110.153]:46308 "EHLO e35.co.us.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752066Ab3CTQmn (ORCPT ); Wed, 20 Mar 2013 12:42:43 -0400 Message-ID: <1363797717.2580.10.camel@falcor1.watson.ibm.com> Subject: Re: [PATCH 01/12] Security: Add CAP_COMPROMISE_KERNEL From: Mimi Zohar To: James Morris Cc: Matthew Garrett , linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org, kexec@lists.infradead.org, linux-pci@vger.kernel.org Date: Wed, 20 Mar 2013 12:41:57 -0400 In-Reply-To: References: <1363642353-30749-1-git-send-email-matthew.garrett@nebula.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.2.3 (3.2.3-3.fc16) Content-Transfer-Encoding: 7bit Mime-Version: 1.0 X-TM-AS-MML: No X-Content-Scanned: Fidelis XPS MAILER x-cbid: 13032016-4834-0000-0000-000004E067D9 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1012 Lines: 27 On Tue, 2013-03-19 at 15:47 +1100, James Morris wrote: > On Mon, 18 Mar 2013, Matthew Garrett wrote: > > > This patch introduces CAP_COMPROMISE_KERNEL. > > I'd like to see this named CAP_MODIFY_KERNEL, which is more accurate and > less emotive. Otherwise I think core kernel developers will be scratching > their head over where to sprinkle this. > > Apart from that, I like the idea, especially when it's wired up to MAC > security. Matthrew, perhaps you could clarify whether this will be tied to MAC security. Based on the kexec thread, I'm under the impression that is not the intention, or at least not for kexec. As root isn't trusted, neither is the boot command line, nor any policy that is loaded by root, including those for MAC. thanks, Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/