Subject: Re: [PATCH] Allow /dev/{,k}mem to be disabled to prevent kernel
	from being modified easily
From: Alan Cox <alan@lxorguk.ukuu.org.uk>
To: bert hubert <ahu@ds9a.nl>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>, akpm@osdl.org,
       devik@cdi.cz
In-Reply-To: <20030803180950.GA11575@outpost.ds9a.nl>
References: <20030803180950.GA11575@outpost.ds9a.nl>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Organization: 
Message-Id: <1059944575.31900.11.camel@dhcp22.swansea.linux.org.uk>
Mime-Version: 1.0
Date: 03 Aug 2003 22:02:55 +0100
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1040
Lines: 23

On Sul, 2003-08-03 at 19:09, bert hubert wrote:
> up about Oppenheimer when disclaiming that you are 'just a coder'. The item
> to google on is: "ethics sweetness hydrogen bomb Oppenheimer"), I wrote
> a patch to disable /dev/kmem and /dev/mem, which is harmless on servers
> without X.

You can do this without modifications using the security interface
hooks. If you want to do it right with 2.4 or without security modules
you need to globally revoke CAP_SYS_RAWIO and CAP_SYS_MODULE otherwise
you merely made it harder.

> It blocks attempts by rootkits, such as devik's SucKIT, to hide themselves.
> 
> It is not a final solution but it raises the bar a lot. Please apply.

Fine in theory but you can do this via security modules so its better if
you write a security policy module for it.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/