Re: Capabilities in LSM

From: Seth Arnold (sarnoldat_private)
Date: Thu May 29 2003 - 23:03:01 PDT

  • Next message: Niki Rahimi: "OLS"

    On Thu, May 29, 2003 at 03:28:59PM -0700, Michael Halcrow wrote:
    > Can someone point me to some documentation on using capabilities in
    > the 2.5 kernel LSM?  I am specifically interested in using
    > CAP_SYS_MODULE from another LSM to regulate the ability to load and
    > unload modules.
    
    Check out the capable function pointer in the security_operations
    structure. If your module's capable() function refuses any requests for
    CAP_SYS_MODULE, you should be good to go.
    
    (Note that /dev/[k]mem can also be used to modify the running kernel;
    iirc, those devices check for CAP_SYS_RAWIO, which you may also wish to
    disable. :)
    
    -- 
    You too can spend five years in prison; just distribute this program
    once US Senator Hollings's CBDTPA bill is passed into law:
    perl -e 'while(<>) { print;}'
    
    
    

    _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module



    This archive was generated by hypermail 2b30 : Thu May 29 2003 - 23:03:36 PDT