Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S263058AbUDASsO (ORCPT ); Thu, 1 Apr 2004 13:48:14 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S263061AbUDASsO (ORCPT ); Thu, 1 Apr 2004 13:48:14 -0500 Received: from facesaver.epoch.ncsc.mil ([144.51.25.10]:14237 "EHLO epoch.ncsc.mil") by vger.kernel.org with ESMTP id S263058AbUDASsK (ORCPT ); Thu, 1 Apr 2004 13:48:10 -0500 Subject: Re: disable-cap-mlock From: Stephen Smalley To: William Lee Irwin III Cc: Marc-Christian Petersen , lkml , Andrea Arcangeli , Andrew Morton , kenneth.w.chen@intel.com, Chris Wright In-Reply-To: <20040401175436.GI791@holomorphy.com> References: <20040401135920.GF18585@dualathlon.random> <1080841071.25431.155.camel@moss-spartans.epoch.ncsc.mil> <20040401174405.GG791@holomorphy.com> <200404011952.29724@WOLK> <20040401175436.GI791@holomorphy.com> Content-Type: text/plain Organization: National Security Agency Message-Id: <1080845238.25431.196.camel@moss-spartans.epoch.ncsc.mil> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 (1.4.5-7) Date: Thu, 01 Apr 2004 13:47:18 -0500 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1511 Lines: 32 On Thu, 2004-04-01 at 12:54, William Lee Irwin III wrote: > On Thu, Apr 01, 2004 at 07:52:29PM +0200, Marc-Christian Petersen wrote: > > hmm, maybe a /proc/sys/capability/lock and if set to 1 you can't > > change any of the sysctl variables, even root should not be allowed > > to change lock back, until you do a reboot. Practical? > > ciao, Marc > > Feasible, though it's an open question as to how many hoops we should > jump through to prevent people from shooting themselves in the foot. > > Maybe Steven could recommend adjustments and/or give some idea as to > whether the above would be useful. Some form of control over changing the sysctl settings (beyond just the mode) should be provided; otherwise, the module is too unsafe by itself for real use, and you can't assume that people will only use it stacked with SELinux (which could control such changes). Allowing the settings to be locked as mcp suggested sounds simple and sufficient for the proposed use; they can disable their desired capability and then lock in /sbin/init. For greater generality, I'd suggest adding a new capability to control the ability to set the capability sysctls, but then we are in a vicious cycle... -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/