Quoting Matthew Garrett (mjg@xxxxxxxxxx): > Secure boot adds certain policy requirements, including that root must not > be able to do anything that could cause the kernel to execute arbitrary code. > The simplest way to handle this would seem to be to add a new capability > and gate various functionality on that. We'll then strip it from the initial > capability set if required. > > Signed-off-by: Matthew Garrett <mjg@xxxxxxxxxx> Acked-by: Serge E. Hallyn <serge.hallyn@xxxxxxxxxx> > --- > include/linux/capability.h | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/include/linux/capability.h b/include/linux/capability.h > index d10b7ed..4345bc8 100644 > --- a/include/linux/capability.h > +++ b/include/linux/capability.h > @@ -364,7 +364,11 @@ struct cpu_vfs_cap_data { > > #define CAP_BLOCK_SUSPEND 36 > > -#define CAP_LAST_CAP CAP_BLOCK_SUSPEND > +/* Allow things that trivially permit root to modify the running kernel */ > + > +#define CAP_COMPROMISE_KERNEL 37 > + > +#define CAP_LAST_CAP CAP_COMPROMISE_KERNEL > > #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP) > > -- > 1.7.11.4 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html