From: "H. Peter Anvin" <hpa@zytor.com>
To: James Morris <jmorris@namei.org>
Cc: Matthew Garrett <matthew.garrett@nebula.com>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org,
kexec@lists.infradead.org, linux-pci@vger.kernel.org
Subject: Re: [PATCH 01/12] Security: Add CAP_COMPROMISE_KERNEL
Date: Tue, 19 Mar 2013 18:03:50 -0700 [thread overview]
Message-ID: <51490AF6.4080707@zytor.com> (raw)
In-Reply-To: <alpine.LRH.2.02.1303191542200.30973@tundra.namei.org>
On 03/18/2013 09:47 PM, James Morris wrote:
> On Mon, 18 Mar 2013, Matthew Garrett wrote:
>
>> This patch introduces CAP_COMPROMISE_KERNEL.
>
> I'd like to see this named CAP_MODIFY_KERNEL, which is more accurate and
> less emotive. Otherwise I think core kernel developers will be scratching
> their head over where to sprinkle this.
>
> Apart from that, I like the idea, especially when it's wired up to MAC
> security.
The wiring up to MAC security is a nice touch.
-hpa
--
H. Peter Anvin, Intel Open Source Technology Center
I work for Intel. I don't speak on their behalf.
next prev parent reply other threads:[~2013-03-20 1:04 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-18 21:32 [PATCH 01/12] Security: Add CAP_COMPROMISE_KERNEL Matthew Garrett
2013-03-18 21:32 ` [PATCH 02/12] SELinux: define mapping for CAP_COMPROMISE_KERNEL Matthew Garrett
2013-03-18 21:32 ` [PATCH 03/12] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode Matthew Garrett
2013-03-18 21:32 ` [PATCH 04/12] efi: Enable secure boot lockdown automatically when enabled in firmware Matthew Garrett
2013-03-18 21:32 ` [PATCH 05/12] PCI: Require CAP_COMPROMISE_KERNEL for PCI BAR access Matthew Garrett
2013-03-27 15:03 ` Josh Boyer
2013-03-27 15:08 ` Kyle McMartin
2013-03-28 12:46 ` Josh Boyer
2013-03-18 21:32 ` [PATCH 06/12] x86: Require CAP_COMPROMISE_KERNEL for IO port access Matthew Garrett
2013-03-20 1:00 ` H. Peter Anvin
2013-03-18 21:32 ` [PATCH 07/12] ACPI: Limit access to custom_method Matthew Garrett
2013-03-18 21:32 ` [PATCH 08/12] asus-wmi: Restrict debugfs interface Matthew Garrett
2013-03-18 21:32 ` [PATCH 09/12] Require CAP_COMPROMISE_KERNEL for /dev/mem and /dev/kmem access Matthew Garrett
2013-03-18 21:32 ` [PATCH 10/12] acpi: Ignore acpi_rsdp kernel parameter in a secure boot environment Matthew Garrett
2013-03-19 8:47 ` Dave Young
2013-03-19 11:19 ` Josh Boyer
2013-03-19 17:07 ` [PATCH v2] " Josh Boyer
2013-03-18 21:32 ` [PATCH 11/12] x86: Require CAP_COMPROMISE_KERNEL for MSR writing Matthew Garrett
2013-03-18 21:32 ` [PATCH 12/12] kexec: Require CAP_SYS_COMPROMISE_KERNEL Matthew Garrett
2013-03-19 4:47 ` [PATCH 01/12] Security: Add CAP_COMPROMISE_KERNEL James Morris
2013-03-20 1:03 ` H. Peter Anvin [this message]
2013-03-20 16:41 ` Mimi Zohar
2013-03-20 16:49 ` Matthew Garrett
2013-03-20 18:01 ` Mimi Zohar
2013-03-20 18:12 ` Matthew Garrett
2013-03-20 19:16 ` Mimi Zohar
2013-03-20 20:37 ` Matthew Garrett
2013-03-20 21:11 ` Mimi Zohar
2013-03-20 21:18 ` Matthew Garrett
2013-03-21 13:43 ` Vivek Goyal
2013-03-21 15:37 ` Serge E. Hallyn
2013-03-21 15:52 ` Vivek Goyal
2013-03-21 15:58 ` Serge E. Hallyn
2013-03-21 16:04 ` Vivek Goyal
2013-03-21 16:19 ` Serge E. Hallyn
2013-03-21 17:15 ` Vivek Goyal
2013-03-21 1:58 ` James Morris
2013-03-19 7:18 ` Yves-Alexis Perez
2013-03-20 1:02 ` H. Peter Anvin
2013-03-20 1:05 ` H. Peter Anvin
2013-03-20 13:15 ` Matthew Garrett
2013-03-20 15:03 ` H. Peter Anvin
2013-03-20 15:14 ` Matthew Garrett
2013-03-20 16:45 ` H. Peter Anvin
-- strict thread matches above, loose matches on Subject: below --
2013-03-20 1:07 Matthew Garrett
2013-03-20 1:11 ` H. Peter Anvin
2013-03-20 1:09 Matthew Garrett
2013-03-20 1:28 Matthew Garrett
2013-03-20 2:48 ` H. Peter Anvin
2013-03-20 3:08 ` H. Peter Anvin
2013-03-20 3:18 ` Alex Williamson
2013-03-20 3:22 ` H. Peter Anvin
2013-03-20 3:27 ` Alex Williamson
2013-03-21 16:32 Matthew Garrett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51490AF6.4080707@zytor.com \
--to=hpa@zytor.com \
--cc=jmorris@namei.org \
--cc=kexec@lists.infradead.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthew.garrett@nebula.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).