From mboxrd@z Thu Jan 1 00:00:00 1970 From: "H. Peter Anvin" Subject: Re: [PATCH] x86: Lock down MSR writing in secure boot Date: Wed, 13 Feb 2013 14:26:45 -0800 Message-ID: <511C1325.5060601@zytor.com> References: <1360355671.18083.18.camel@x230.lan> <51157C9C.6030501@zytor.com> <20130208230655.GB28990@pd.tnic> <1360366012.18083.21.camel@x230.lan> <5115A4CC.3080102@zytor.com> <1360373383.18083.23.camel@x230.lan> <20130209092925.GA17728@pd.tnic> <1360422712.18083.24.camel@x230.lan> <511AE2CC.5040705@zytor.com> <1360733962.18083.30.camel@x230.lan> <511B2EB9.5070406@zytor.com> <1360736860.18083.33.camel@x230.lan> <511B33BC.9080307@zytor.com> <1360737709.18083.36.camel@x230.lan> <511 BCB6E.8080102@zytor.com> <1360776399.18083.39.camel@x230.lan> <511BD291.1040003@schaufler-ca.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <511BD291.1040003@schaufler-ca.com> Sender: linux-security-module-owner@vger.kernel.org To: Casey Schaufler Cc: Matthew Garrett , Borislav Petkov , Kees Cook , LKML , Thomas Gleixner , Ingo Molnar , "x86@kernel.org" , "linux-efi@vger.kernel.org" , linux-security-module List-Id: linux-efi@vger.kernel.org On 02/13/2013 09:51 AM, Casey Schaufler wrote: > > You can't add a new capability where there is an existing capability > that can be remotely argued to be appropriate. > > If you tried to "fix" CAP_SYS_RAWIO and/or CAP_SYS_ADMIN you'd end > up with hundreds of capabilities. > > Your particular problem is *not* so important that you get a > capability all to yourself. > {facepalm} This is exactly the kind of thinking which has led to the capability system being so bloody useless. Capabilities need to be associated with resources, not use cases. -hpa -- H. Peter Anvin, Intel Open Source Technology Center I work for Intel. I don't speak on their behalf.