Amerigo Wang <amwang at redhat.com> writes: > Eric pointed out that kexec_load() actually allows you to > run any code you want in ring0, this is more like CAP_SYS_MODULE. Let me get this straight you want to make the permission checks less stringent by allowing either CAP_SYS_MODULE or CAP_SYS_BOOT? CAP_SYS_BOOT is the correct capability. Sure you can run any code but only after rebooting. I don't see how this differs from any other reboot scenario. Eric > Reported-by: Eric Paris <eparis at redhat.com> > Signed-off-by: WANG Cong <amwang at redhat.com> > > --- > diff --git a/kernel/kexec.c b/kernel/kexec.c > index b55045b..c30d613 100644 > --- a/kernel/kexec.c > +++ b/kernel/kexec.c > @@ -945,7 +945,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, > int result; > > /* We only trust the superuser with rebooting the system. */ > - if (!capable(CAP_SYS_BOOT)) > + if (!capable(CAP_SYS_BOOT) || !capable(CAP_SYS_MODULE)) > return -EPERM; > > /*
