Advertisement
Front, Kernel, Security, Distributions, Development. See your byline here on LWN.net.
Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||
The ExecShield patchesThe ExecShield patchesPosted Jul 20, 2005 7:27 UTC (Wed) by nix (subscriber, #2304)In reply to: The ExecShield patches by dlang Parent article: Kernel Summit 2005: The ExecShield patches
People running firewalls can already remove CAP_RAWIO from the kernel's capability bounding set, which bans reads and writes to /dev/mem. (Obviously, you have to grant an X server this capability, but there shouldn't be one of those running on a firewall anyway, really.)
(Log in to post comments)
The ExecShield patches Posted Jul 20, 2005 20:42 UTC (Wed) by dlang (subscriber, #313) [Link] unless ou are running selinux (which most distros don't do, and I definantly don't trust RedHat enough to use it on a firewall) I am not aware of an easy way to do this.
if there is one please let me know how.
Re: access to /dev/mem Posted Jul 22, 2005 1:47 UTC (Fri) by sweikart (guest, #4276) [Link] Here's a good description of it:
http://lwn.net/1999/1202/kernel.php3
And here's an implementation for dropping capabilities at boot time:
http://lists.nas.nasa.gov/archives/ext/linux-security-aud...
Since you can disable access to /dev/mem with the capability bounding set, I would request that the semantics of /dev/mem not change.
-scott
|
|||||||||||