From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755819Ab1AKL0P (ORCPT ); Tue, 11 Jan 2011 06:26:15 -0500 Received: from mx1.redhat.com ([209.132.183.28]:50522 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752119Ab1AKL0N (ORCPT ); Tue, 11 Jan 2011 06:26:13 -0500 Message-ID: <4D2C3E4D.3070307@redhat.com> Date: Tue, 11 Jan 2011 19:26:05 +0800 From: Cong Wang User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101209 Fedora/3.1.7-0.35.b3pre.fc14 Thunderbird/3.1.7 MIME-Version: 1.0 To: "Eric W. Biederman" CC: Eric Paris , linux-kernel@vger.kernel.org, kexec@lists.infradead.org Subject: Re: [Patch] kexec_load: check CAP_SYS_MODULE References: <1294302325-22593-1-git-send-email-amwang@redhat.com> <1294432333.3237.107.camel@localhost.localdomain> <1294447189.3237.132.camel@localhost.localdomain> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 于 2011年01月09日 10:09, Eric W. Biederman 写道: > > We aren't dealing with modules I think CAP_SYS_MODULE is totally > irrelevant in the context of kexec. Yeah, although I don't really understand CAP_SYS_MODULE, but it really confused me to add it to kexec_load() from its name. > > I think to accomplish what you want we either need a way to disable > sys_kexec_load or possibly a new very targeted capability bit. > > You are making it so that giving someone CAP_SYS_MODULE is giving more > than the ability to load kernel modules. Which seems non-intuitive from > a system management point of view. > How about CAP_SYS_KEXEC? Thanks. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mx1.redhat.com ([209.132.183.28]) by canuck.infradead.org with esmtp (Exim 4.72 #1 (Red Hat Linux)) id 1PccMe-00013a-Kb for kexec@lists.infradead.org; Tue, 11 Jan 2011 11:26:13 +0000 Message-ID: <4D2C3E4D.3070307@redhat.com> Date: Tue, 11 Jan 2011 19:26:05 +0800 From: Cong Wang MIME-Version: 1.0 Subject: Re: [Patch] kexec_load: check CAP_SYS_MODULE References: <1294302325-22593-1-git-send-email-amwang@redhat.com> <1294432333.3237.107.camel@localhost.localdomain> <1294447189.3237.132.camel@localhost.localdomain> In-Reply-To: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: base64 Content-Type: text/plain; charset="utf-8"; Format="flowed" Sender: kexec-bounces@lists.infradead.org Errors-To: kexec-bounces+dwmw2=infradead.org@lists.infradead.org To: "Eric W. Biederman" Cc: kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Eric Paris 5LqOIDIwMTHlubQwMeaciDA55pelIDEwOjA5LCBFcmljIFcuIEJpZWRlcm1hbiDlhpnpgZM6Cj4K PiBXZSBhcmVuJ3QgZGVhbGluZyB3aXRoIG1vZHVsZXMgSSB0aGluayBDQVBfU1lTX01PRFVMRSBp cyB0b3RhbGx5Cj4gaXJyZWxldmFudCBpbiB0aGUgY29udGV4dCBvZiBrZXhlYy4KCgpZZWFoLCBh bHRob3VnaCBJIGRvbid0IHJlYWxseSB1bmRlcnN0YW5kIENBUF9TWVNfTU9EVUxFLCBidXQgaXQK cmVhbGx5IGNvbmZ1c2VkIG1lIHRvIGFkZCBpdCB0byBrZXhlY19sb2FkKCkgZnJvbSBpdHMgbmFt ZS4KCj4KPiBJIHRoaW5rIHRvIGFjY29tcGxpc2ggd2hhdCB5b3Ugd2FudCB3ZSBlaXRoZXIgbmVl ZCBhIHdheSB0byBkaXNhYmxlCj4gc3lzX2tleGVjX2xvYWQgb3IgcG9zc2libHkgYSBuZXcgdmVy eSB0YXJnZXRlZCBjYXBhYmlsaXR5IGJpdC4KPgo+IFlvdSBhcmUgbWFraW5nIGl0IHNvIHRoYXQg Z2l2aW5nIHNvbWVvbmUgQ0FQX1NZU19NT0RVTEUgaXMgZ2l2aW5nIG1vcmUKPiB0aGFuIHRoZSBh YmlsaXR5IHRvIGxvYWQga2VybmVsIG1vZHVsZXMuICBXaGljaCBzZWVtcyBub24taW50dWl0aXZl IGZyb20KPiBhIHN5c3RlbSBtYW5hZ2VtZW50IHBvaW50IG9mIHZpZXcuCj4KCkhvdyBhYm91dCBD QVBfU1lTX0tFWEVDPwoKVGhhbmtzLgoKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX18Ka2V4ZWMgbWFpbGluZyBsaXN0CmtleGVjQGxpc3RzLmluZnJhZGVhZC5v cmcKaHR0cDovL2xpc3RzLmluZnJhZGVhZC5vcmcvbWFpbG1hbi9saXN0aW5mby9rZXhlYwo=