[linux-audio-dev] LSM: Linux 2.6 Kernel Capability LSM Module Local Privilege Elevation

Lee Revell rlrevell at joe-job.com
Wed Dec 29 19:09:11 UTC 2004

Previous message: [linux-audio-dev] LSM: Linux 2.6 Kernel Capability LSM Module Local Privilege Elevation
Next message: [linux-audio-dev] LSM: Linux 2.6 Kernel Capability LSM Module Local Privilege Elevation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2004-12-29 at 10:54 -0800, Fernando Lopez-Lezcano wrote:
> On Wed, 2004-12-29 at 02:07, Frank Barknecht wrote:
> > Hallo,
> > Fernando Lopez-Lezcano hat gesagt: // Fernando Lopez-Lezcano wrote:
> > 
> > > Why I think this is a yes. Any kernel that wants to use the realtime-lsm
> > > will have to either not build the POSIX capabilities lsm, or build it as
> > > a module. In the later case the system will be vulnerable. The
> > > realtime-lsm does not depend on the POSIX capabilities lsm but it forces
> > > you to build it as a module, 
> > 
> > I don't understand: Why does it do so? Shouldn't this be "fixed" in
> > the realtime-lsm then?
> 
> I don't understand the technical details. I did try this last week but
> it does not work, you can either have the POSIX lsm or the realtime lsm
> subscribed as a secondary module (whatever that is), but not both at the
> same time. Apparently (Jack O'Quinn told me this) the modules can't
> currently be stacked. I suspect this is not an issue with the
> realtime-lsm module but with the underlying kernel support. 
> 

I think it's actually an issue with the POSIX capabilities module,
there's nothing the realtime LSM can do about it.  For example you can
load realtime LSM on top of SELinux.

Lee

Previous message: [linux-audio-dev] LSM: Linux 2.6 Kernel Capability LSM Module Local Privilege Elevation
Next message: [linux-audio-dev] LSM: Linux 2.6 Kernel Capability LSM Module Local Privilege Elevation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Linux-audio-dev mailing list