| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20110715105557.7cb3dfcc@lxorguk.ukuu.org.uk> Date: Fri, 15 Jul 2011 10:55:57 +0100 From: Alan Cox <alan@...rguk.ukuu.org.uk> To: Mike Waychison <mikew@...gle.com> Cc: Greg Kroah-Hartman <gregkh@...e.de>, Andrew Morton <akpm@...ux-foundation.org>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, "H. Peter Anvin" <hpa@...or.com>, x86@...nel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 2/2] x86: Allow disabling of sys_iopl, sys_ioperm > > So lets turn the question around a moment - what breaks if you simply > > take CAP_SYS_RAWIO away from everything ? > > > > Alright, I see your point. ISTR that CAP_SYS_RAWIO was required for > accessing block devices directly, but this doesn't seem to be the > case. Its needed for certain kinds of command issue (raw commands) but not I believe raw block I/O > I think the approach I'll try next is to try and drop it with > PR_CAPBSET_DROP from early userspace's init. > > Any other vectors you would suggest to keep the kiddies away? /dev/mem /dev/kmem (which do have options to clamp down on) module loading you have down GPU if you don't need any graphics. Not so much because its a specific threat area but because its a large exposure. For media there are exploit paths to consider where an attacker rewrites the boot media and reboots. If you need raw disk I/O those are a spot harder to mend. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists