On Sun, 2013-09-08 at 10:11 -0700, James Bottomley wrote:

> That's not true if you look at the use cases.  Distros use signed
> modules to taint the kernel:  insert an unsigned one and the kernel
> taints; insert a properly signed one and it doesn't.  They use it for
> support to tell if you've been adhering to your contract.  That use case
> has nothing to do with security.

That use case has nothing to do with this patch, either. It's completely
unaffected. This only triggers if the kernel is configured to refuse the
loading of unsigned modules.

> The analogy is rubbish.  I can give away CAP_SYS_MODULE and enforce what
> modules those I've given the permission to can insert by signing them.
> I keep CAP_SYS_BOOT, so they can't use kexec to subvert this.

Yeah, that's a good argument for why capabilities are mostly pointless.
If I have CAP_SYS_BOOT I can give myself any other capabilities. Why
bother?

-- 
Matthew Garrett <matthew.garrett@nebula.com>
ÿôèº{.nÇ+‰·Ÿ®‰­†+%ŠËÿ±éÝ¶¥Šwÿº{.nÇ+‰·¥Š{±þG«éÿŠ{ayºÊ‡Ú™ë,j­¢f£¢·hšïêÿ‘êçz_è®(­éšŽŠÝ¢j"ú¶m§ÿÿ¾«þG«éÿ¢¸?™¨è­Ú&£ø§~á¶iO•æ¬z·švØ^¶m§ÿÿÃÿ¶ìÿ¢¸?–I¥