On 12/09/2013 06:38 PM, Kees Cook wrote: > For general-purpose (i.e. distro) kernel builds it makes sense to build with > CONFIG_KEXEC to allow end users to choose what kind of things they want to do > with kexec. However, in the face of trying to lock down a system with such > a kernel, there needs to be a way to disable kexec (much like module loading > can be disabled). Without this, it is too easy for the root user to modify > kernel memory even when CONFIG_STRICT_DEVMEM and modules_disabled are set. Not everybody will be running with selinux, or another LSM security policy, so having this simple knob probably makes sense. OTOH, are the people who run without a fancy security people the same people who are interested in locking down the system? I guess I'll ack the patch, since I see no real downside to having the knob... > Signed-off-by: Kees Cook <keescook at chromium.org> Acked-by: Rik van Riel <riel at redhat.com> -- All rights reversed
