On Thu, May 29, 2003 at 03:28:59PM -0700, Michael Halcrow wrote:
> Can someone point me to some documentation on using capabilities in
> the 2.5 kernel LSM? I am specifically interested in using
> CAP_SYS_MODULE from another LSM to regulate the ability to load and
> unload modules.
Check out the capable function pointer in the security_operations
structure. If your module's capable() function refuses any requests for
CAP_SYS_MODULE, you should be good to go.
(Note that /dev/[k]mem can also be used to modify the running kernel;
iirc, those devices check for CAP_SYS_RAWIO, which you may also wish to
disable. :)
--
You too can spend five years in prison; just distribute this program
once US Senator Hollings's CBDTPA bill is passed into law:
perl -e 'while(<>) { print;}'
This archive was generated by hypermail 2b30 : Thu May 29 2003 - 23:03:36 PDT