Weekly edition	Kernel	Security	Distributions	Contact Us	Search
Archives	Calendar	Subscribe	Write for LWN	LWN.net FAQ	Sponsors

The ExecShield patches

Posted Jul 20, 2005 7:27 UTC (Wed) by nix (subscriber, #2304)
In reply to: The ExecShield patches by dlang
Parent article: Kernel Summit 2005: The ExecShield patches

People running firewalls can already remove CAP_RAWIO from the kernel's capability bounding set, which bans reads and writes to /dev/mem. (Obviously, you have to grant an X server this capability, but there shouldn't be one of those running on a firewall anyway, really.)

(Log in to post comments)

Posted Jul 20, 2005 20:42 UTC (Wed) by dlang (✭ supporter ✭, #313) [Link]

unless ou are running selinux (which most distros don't do, and I definantly don't trust RedHat enough to use it on a firewall) I am not aware of an easy way to do this.

if there is one please let me know how.

Re: access to /dev/mem

Posted Jul 22, 2005 1:47 UTC (Fri) by sweikart (guest, #4276) [Link]

Here's a good description of it:

http://lwn.net/1999/1202/kernel.php3

And here's an implementation for dropping capabilities at boot time:

http://lists.nas.nasa.gov/archives/ext/linux-security-aud...

Since you can disable access to /dev/mem with the capability bounding set, I would request that the semantics of /dev/mem not change.

-scott

Re: access to /dev/mem

Posted Jul 25, 2005 11:54 UTC (Mon) by nix (subscriber, #2304) [Link]

The one-liner I use on my firewall is online here.