On Fri, Mar 04, 2011 at 21:42 +0100, Rafael J. Wysocki wrote: > That "everyone" is actually the "full root" (in the case of /sys/power/state) > or someone having CAP_SYS_ADMIN in the /dev/snapshot case, right? Yes, sorry for my bad english. "Everyone" is indeed misleading :-D > Second, there's _zero_ relationship between /proc/sys/kernel/modules_disabled > and the hibernation interface, so please find a different way to solve the > problem (if there is any). If modules_disabled is set to 1, then nobody, even full root may not write to the kernel, right? So, if something permits to indirectly pass modules_disabled restriction, this is a bug. Otherwise, modules_disabled is confusing as it gives false sense of security. -OR- modules_disabled's documentation should be changed to note that it doesn't prevent rootkit uploading, but only forbids modprob'ing modules via the "official" init_module(2) gate, disallowing e.g. module autoloading. Thanks, -- Vasiliy Kulikov http://www.openwall.com - bringing security into open computing environments _______________________________________________ linux-pm mailing list linux-pm@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/linux-pm
