On Fri, 2012-10-26 at 19:19 +0100, Matthew Garrett wrote: > On Fri, Oct 26, 2012 at 01:59:34PM -0400, Mimi Zohar wrote: > > On Fri, 2012-10-26 at 03:39 +0100, Matthew Garrett wrote: > > > and it must be impossible for anything other than > > > /sbin/kexec to make the kexec system call. > > > > Permission is a MAC issue. :) > > It's a MAC issue that has to be implemented in the kernel. We can't > depend on userspace loading any kind of policy. Still a MAC issue, that problably could be addressed by capabilities. I suggest you post this issue on the LSM mailing list. Please cc: Serge, as the capabilities maintainer. thanks, Mimi
