Re: [PATCH 2/2] x86: Allow disabling of sys_iopl, sys_ioperm

["H. Peter Anvin" <hpa@zytor.com>]

On 07/17/2011 04:19 PM, Eric Paris wrote:
> On Sat, Jul 16, 2011 at 12:42 AM, Mike Waychison <mikew@google.com> wrote:
>> On Fri, Jul 15, 2011 at 3:30 PM, Andrew G. Morgan <agm@google.com> wrote:
>>> I'd put it in kinit too.
>>>
>>> I think you may have to think about the call_usermodehelper code, and
>>> you might want to look at dropping CAP_SYS_MODULE too.
>>
>> Looks like usermodehelpers are configurable for both the inheritable
>> set and the bounding set via /proc/sys/kernel/usermodehelper/bset and
>> /proc/sys/kernel/usermodehelper/inheritable thanks to Eric Paris
>> (17f60a7da, available in 3.0-rc1).
> 
> If you look in Fedora and RHEL you'll see that we actually already
> provide a dracut module (dracut-caps) which can be used to create an
> initrd which contains all of the modules you need to load, it loads
> them, and then will drop all of the caps that you want to drop.   Good
> to see we already solved this problem once!!  (although it requires
> that your kernel and initrd not be in a place that your root user can
> modify it, easy to do in the virt space, no so easy in the real
> hardware world)
> 

Have you considered separating out the kernel-specific portions into a
separate initramfs file (preferrably one which could be built from a
kernel build tree).  The whole dependency of kernels with initramfs is a
huge pain for kernel development and debugging...

	-hpa

-- 
H. Peter Anvin, Intel Open Source Technology Center
I work for Intel.  I don't speak on their behalf.