Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S263000AbUDARyt (ORCPT ); Thu, 1 Apr 2004 12:54:49 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S263012AbUDARyt (ORCPT ); Thu, 1 Apr 2004 12:54:49 -0500 Received: from holomorphy.com ([207.189.100.168]:50350 "EHLO holomorphy.com") by vger.kernel.org with ESMTP id S263000AbUDARyp (ORCPT ); Thu, 1 Apr 2004 12:54:45 -0500 Date: Thu, 1 Apr 2004 09:54:36 -0800 From: William Lee Irwin III To: Marc-Christian Petersen Cc: linux-kernel@vger.kernel.org, Stephen Smalley , Andrea Arcangeli , Andrew Morton , kenneth.w.chen@intel.com, Chris Wright Subject: Re: disable-cap-mlock Message-ID: <20040401175436.GI791@holomorphy.com> Mail-Followup-To: William Lee Irwin III , Marc-Christian Petersen , linux-kernel@vger.kernel.org, Stephen Smalley , Andrea Arcangeli , Andrew Morton , kenneth.w.chen@intel.com, Chris Wright References: <20040401135920.GF18585@dualathlon.random> <1080841071.25431.155.camel@moss-spartans.epoch.ncsc.mil> <20040401174405.GG791@holomorphy.com> <200404011952.29724@WOLK> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200404011952.29724@WOLK> User-Agent: Mutt/1.5.5.1+cvs20040105i Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1081 Lines: 25 On Thursday 01 April 2004 19:44, William Lee Irwin III wrote: >> I'm aware it does some very unintelligent things to the security model, >> e.g. anyone with fs-level access to these things can basically escalate >> their capabilities to "everything". Maybe some kind of big fat warning >> is in order. On Thu, Apr 01, 2004 at 07:52:29PM +0200, Marc-Christian Petersen wrote: > hmm, maybe a /proc/sys/capability/lock and if set to 1 you can't > change any of the sysctl variables, even root should not be allowed > to change lock back, until you do a reboot. Practical? > ciao, Marc Feasible, though it's an open question as to how many hoops we should jump through to prevent people from shooting themselves in the foot. Maybe Steven could recommend adjustments and/or give some idea as to whether the above would be useful. -- wli - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/