? 2011?01?09? 10:09, Eric W. Biederman ??: > > We aren't dealing with modules I think CAP_SYS_MODULE is totally > irrelevant in the context of kexec. Yeah, although I don't really understand CAP_SYS_MODULE, but it really confused me to add it to kexec_load() from its name. > > I think to accomplish what you want we either need a way to disable > sys_kexec_load or possibly a new very targeted capability bit. > > You are making it so that giving someone CAP_SYS_MODULE is giving more > than the ability to load kernel modules. Which seems non-intuitive from > a system management point of view. > How about CAP_SYS_KEXEC? Thanks.
