On Sun, 2013-09-08 at 10:32 -0700, James Bottomley wrote: > On Sun, 2013-09-08 at 17:27 +0000, Matthew Garrett wrote: > > > It's an argument that CAP_SYS_BOOT is too powerful yes, but if you > > > recall, I said I keep that one. In the rather lame analogy, what I do > > > by giving away CAP_SYS_MODULE and enforcing module signing while keeping > > > CAP_SYS_BOOT is allow people into my conservatory to play with the > > > plants but not into my house to steal the silver ... saying CAP_SYS_BOOT > > > is too powerful doesn't affect that use case because I haven't given > > > away CAP_SYS_BOOT. > > > > Ok, sorry, I had your meaning inverted. Yes, permitting the loading of > > signed modules while preventing the use of kexec is a completely > > reasonable configuration - so reasonable that it's what this patch > > causes the kernel to do automatically. > > Well, no, it doesn't because with this patch, *I* can't use kexec ... > you've just locked me out of my own house. Hm. Ok, that's a more compelling argument than Greg's. Let me think about whether there's a convenient way of supporting this. -- Matthew Garrett <matthew.garrett@xxxxxxxxxx> ��.n��������+%������w��{.n�����{����*jg��������ݢj����G�������j:+v���w�m������w�������h�����٥