On Sun, Nov 03, 2019 at 12:56:48PM -0500, Theodore Y. Ts'o wrote: > On Sun, Nov 03, 2019 at 04:55:48PM +0200, Topi Miettinen wrote: > > Several items in /proc/sys need not be accessible to unprivileged > > tasks. Let the system administrator change the permissions, but only > > to more restrictive modes than what the sysctl tables allow. > > > > Signed-off-by: Topi Miettinen <toiwoton@xxxxxxxxx> > > Why should restruct the system administrator from changing the > permissions to one which is more lax than what the sysctl tables? > > The system administrator is already very much trusted. Why should we > take that discretion away from the system administrator? Generally speaking, they're there to provide some sense of boundary between uid 0 and the kernel proper. I think it's correct to not allow weakening of these permissions (which is the current state: no change at all). -- Kees Cook
