Il 13/02/2013 07:33, H. Peter Anvin ha scritto: >> >>> Sounds like you are thinking of CAP_SYS_ADMIN, but I don't really see a >>> huge difference between MSRs and I/O control registers... just different >>> address spaces. >> >> Not having CAP_SYS_RAWIO blocks various SCSI commands, for instance. >> These might result in the ability to write individual blocks or destroy >> the device firmware, but do any of them permit modifying the running >> kernel? No, they cannot. > That is just batshit crazy. If you have CAP_SYS_RAWIO you can do iopl() > which means you can reprogram your northbridge, at which point you most > definitely *can* modify the running kernel. > > And some SCSI driver requires this??! No, and that's why there is a patchset floating that lets you toggle this ability with a sysfs control. This way you do not need CAP_SYS_RAWIO anymore. On non-x86 machines CAP_SYS_RAWIO is much less dangerous, especially when coupled with file DAC. Paolo -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
