[linux-audio-dev] LSM: Linux 2.6 Kernel Capability LSM Module Local Privilege Elevation

[Lee Revell]

On Tue, 2004-12-28 at 21:51 -0800, Fernando Lopez-Lezcano wrote:
> On Tue, 2004-12-28 at 13:35, Lee Revell wrote:
> > On Tue, 2004-12-28 at 13:17 -0800, Fernando Lopez-Lezcano wrote:
> > > On Tue, 2004-12-28 at 12:28, Lee Revell wrote:
> > > > On Mon, 2004-12-27 at 14:41 +0100, Frank Barknecht wrote:
> > > > > Read on here:
> > > > > http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2004-12/0390.html
> > > > 
> > > > Wow, this is a HORRIBLE bug.
> > > 
> > > Indeed. I tried it and it works. Someone should have been pointing a
> > > camera at me to capture the "moment" :-) Spent the better part of
> > > yesterday building new Planet CCRMA kernels without this "feature".
> > 
> > Yes, fortunately realtime-lsm does not depend on the capability module.
> > Still, I would expect that many audio users load it out of confusion.
> 
> At least in FC3 the capability module is not a module, it is built into
> the kernel. Thus the problem, the realtime lsm does not work (tried it)
> if capability is built into the kernel, apparently the two modules can't
> be stacked, it is one or the other. So, any low latency kernel that
> wants to use realtime lsm is, I think, going to be affected. 

No, the capability module that is referred to in the advisory is the
POSIX capabilities module.  I have this configured as a module on my
system, but never load it, and realtime-lsm does not depend on it.
realtime-lsm only depnds on the "commoncap" module.

Lee