Re: [linux-audio-dev] LSM: Linux 2.6 Kernel Capability LSM Module Local Privilege Elevation

New Message Reply About this list Date view Thread view Subject view Author view Other groups

Subject: Re: [linux-audio-dev] LSM: Linux 2.6 Kernel Capability LSM Module Local Privilege Elevation
From: Hans Fugal (hans_AT_fugal.net)
Date: Thu Dec 30 2004 - 17:27:38 EET


On Wed, 29 Dec 2004 at 11:07 +0100, Frank Barknecht wrote:
> Hallo,
> Fernando Lopez-Lezcano hat gesagt: // Fernando Lopez-Lezcano wrote:
>
> > Why I think this is a yes. Any kernel that wants to use the realtime-lsm
> > will have to either not build the POSIX capabilities lsm, or build it as
> > a module. In the later case the system will be vulnerable. The
> > realtime-lsm does not depend on the POSIX capabilities lsm but it forces
> > you to build it as a module,
>
> I don't understand: Why does it do so? Shouldn't this be "fixed" in
> the realtime-lsm then?

Someone please correct me if I'm wrong, but it just looks like a case of a
simplistic check. It doesn't look like realtime-lsm really depends on
posix capabilities being compiled as a module, but on posix capabilities
not being compiled in. So I'm going to try this patch (it builds, we'll
see if it works fine, but I suspect it will):

diff -u /tmp/realtime-lsm-0.8.5/Makefile realtime-lsm-0.8.5/Makefile
--- /tmp/realtime-lsm-0.8.5/Makefile 2004-11-24 11:38:41.000000000 -0700
+++ realtime-lsm-0.8.5/Makefile 2004-12-30 08:22:58.000000000 -0700
@@ -20,7 +20,7 @@
        $(MAKE) modules -C $(KERNEL_DIR) SUBDIRS=$(shell pwd)
 
 config:
- @if grep CONFIG_SECURITY_CAPABILITIES=m $(KERNEL_DIR)/.config; \
+ @if ! grep CONFIG_SECURITY_CAPABILITIES=y $(KERNEL_DIR)/.config; \
        then ln -sf $(KERNEL_DIR)/security/$(COMMONCAP) .; \
        else echo "Failed: Security Capabilities not configured as module"; \
             echo "Realtime LSM will not work with $(KERNEL_DIR)"; \

-- 
 .O.  Hans Fugal            | De gustibus non disputandum est.
 ..O  http://hans.fugal.net | Debian, vim, mutt, ruby, text, gpg
 OOO                        | WindowMaker, gaim, UTF-8, RISC, JS Bach
---------------------------------------------------------------------
GnuPG Fingerprint: 6940 87C5 6610 567F 1E95  CB5E FC98 E8CD E0AA D460



New Message Reply About this list Date view Thread view Subject view Author view Other groups

This archive was generated by hypermail 2b28 : Thu Dec 30 2004 - 17:35:11 EET