From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from lo.gmane.org ([80.91.229.12]) by canuck.infradead.org with esmtp (Exim 4.72 #1 (Red Hat Linux)) id 1PfnAo-0004G8-ED for kexec@lists.infradead.org; Thu, 20 Jan 2011 05:35:06 +0000 Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1PfnAm-0004gV-Ln for kexec@lists.infradead.org; Thu, 20 Jan 2011 06:35:04 +0100 Received: from 60.247.97.98 ([60.247.97.98]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 20 Jan 2011 06:35:04 +0100 Received: from xiyou.wangcong by 60.247.97.98 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 20 Jan 2011 06:35:04 +0100 From: WANG Cong Subject: Re: [PATCH] kexec: include sysctl to disable Date: Thu, 20 Jan 2011 05:32:50 +0000 (UTC) Message-ID: References: <20110119222630.6755.63928.stgit@paris.rdu.redhat.com> Mime-Version: 1.0 List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: kexec-bounces@lists.infradead.org Errors-To: kexec-bounces+dwmw2=infradead.org@lists.infradead.org To: kexec@lists.infradead.org Cc: linux-kernel@vger.kernel.org On Thu, 20 Jan 2011 05:21:50 +0000, WANG Cong wrote: > On Wed, 19 Jan 2011 17:26:30 -0500, Eric Paris wrote: > >> much like /proc/sys/kernel/modules_disable is used to disable module >> loading, /proc/sys/kernel/kexec_disable is used to disable kexec code >> loading. It would still be possible to use kexec -l to load a kernel, >> set the tunable to 1 so the kernel waiting to boot couldn't change, and >> then launch the kernel at a later time (through kexec -e or through a >> crash) >> >> > But root can still change it to 0 and do kexec like normal, right? Er... never mind, it is a one-way road... Looks like a good balance between reusing CAP_SYS_MODULE and introducing a new CAP_SYS_XXX. Acked-by: WANG Cong Thanks. _______________________________________________ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755250Ab1ATFkK (ORCPT ); Thu, 20 Jan 2011 00:40:10 -0500 Received: from lo.gmane.org ([80.91.229.12]:41187 "EHLO lo.gmane.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755216Ab1ATFkG (ORCPT ); Thu, 20 Jan 2011 00:40:06 -0500 X-Injected-Via-Gmane: http://gmane.org/ To: linux-kernel@vger.kernel.org From: WANG Cong Subject: Re: [PATCH] kexec: include sysctl to disable Date: Thu, 20 Jan 2011 05:32:50 +0000 (UTC) Message-ID: References: <20110119222630.6755.63928.stgit@paris.rdu.redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: 60.247.97.98 User-Agent: Pan/0.133 (House of Butterflies) Cc: kexec@lists.infradead.org Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 20 Jan 2011 05:21:50 +0000, WANG Cong wrote: > On Wed, 19 Jan 2011 17:26:30 -0500, Eric Paris wrote: > >> much like /proc/sys/kernel/modules_disable is used to disable module >> loading, /proc/sys/kernel/kexec_disable is used to disable kexec code >> loading. It would still be possible to use kexec -l to load a kernel, >> set the tunable to 1 so the kernel waiting to boot couldn't change, and >> then launch the kernel at a later time (through kexec -e or through a >> crash) >> >> > But root can still change it to 0 and do kexec like normal, right? Er... never mind, it is a one-way road... Looks like a good balance between reusing CAP_SYS_MODULE and introducing a new CAP_SYS_XXX. Acked-by: WANG Cong Thanks.