Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S271729AbTHDNOl (ORCPT ); Mon, 4 Aug 2003 09:14:41 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S271730AbTHDNOl (ORCPT ); Mon, 4 Aug 2003 09:14:41 -0400 Received: from pc1-cwma1-5-cust4.swan.cable.ntl.com ([80.5.120.4]:51867 "EHLO lxorguk.ukuu.org.uk") by vger.kernel.org with ESMTP id S271729AbTHDNOk (ORCPT ); Mon, 4 Aug 2003 09:14:40 -0400 Subject: Re: [PATCH] Allow /dev/{,k}mem to be disabled to prevent kernel from being modified easily From: Alan Cox To: bert hubert Cc: David Lang , Andrew Morton , Linux Kernel Mailing List , devik@cdi.cz, aebr@win.tue.nl In-Reply-To: <20030803214738.GA16129@outpost.ds9a.nl> References: <20030803140031.7665546c.akpm@osdl.org> <20030803214738.GA16129@outpost.ds9a.nl> Content-Type: text/plain Content-Transfer-Encoding: 7bit Organization: Message-Id: <1060002642.416.9.camel@dhcp22.swansea.linux.org.uk> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.2 (1.2.2-5) Date: 04 Aug 2003 14:10:42 +0100 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 739 Lines: 17 On Sul, 2003-08-03 at 22:47, bert hubert wrote: > As to what Alan said about LSM, I've yet to see how to do that in a > reasonable way. But I didn't look too hard. Just refuse anything needing CAP_SYS_RAWIO at all times. Thats why this capability flag exists. Or with SELinux you can create a role which has RAWIO access but is very limited in other ways (eg "Only my X server", or "only the firmware loader for my serial card") and which is tainted if anything else touches those files Alan - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/