Eric Paris <eparis at parisplace.org> writes: > On Thu, Jan 6, 2011 at 3:47 AM, Eric W. Biederman <ebiederm at xmission.com> wrote: >> Amerigo Wang <amwang at redhat.com> writes: >> >>> Eric pointed out that kexec_load() actually allows you to >>> run any code you want in ring0, this is more like CAP_SYS_MODULE. >> >> Let me get this straight you want to make the permission checks >> less stringent by allowing either CAP_SYS_MODULE or CAP_SYS_BOOT? > > Nope, read my patch again. It actually requires BOTH of them. Ah right. Testing the negative and going to -EPERM. >> CAP_SYS_BOOT is the correct capability. ?Sure you can run any >> code but only after rebooting. ?I don't see how this differs >> from any other reboot scenario. > > The difference is that after a reboot the bootloader and the system > control what code is run. kexec_load() immediately runs the new > kernel which is not controlled by the bootloader or by the system. > Imagine a situation where the bootloader and the /boot directory are > RO (enforced by hardware). kexec_load() would let you run any kernel > code you want on the box whereas reboot would not. The scenario is imaginable (not common but imaginable) but I don't see how requiring CAP_SYS_MODULE makes anything better. If I was building a configuration where I didn't want anyone to be able to direct the kernel into a different state by locking down the bootloaders I expect I would compile out the syscall as well. Most bootloaders have the option of booting something else the mechanism is just different. I really don't see what the addition of CAP_SYS_MODULE gains you. Right now CAP_SYS_BOOT still makes sense to me and CAP_SYS_MODULE stills seems like nonsense in this context. Eric
