[linux-audio-dev] LSM: Linux 2.6 Kernel Capability LSM Module Local Privilege Elevation

Hans Fugal hans at fugal.net
Thu Dec 30 15:27:38 UTC 2004

Previous message: [linux-audio-dev] LSM: Linux 2.6 Kernel Capability LSM Module Local Privilege Elevation
Next message: [linux-audio-dev] LSM: Linux 2.6 Kernel Capability LSM Module Local Privilege Elevation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 29 Dec 2004 at 11:07 +0100, Frank Barknecht wrote:
> Hallo,
> Fernando Lopez-Lezcano hat gesagt: // Fernando Lopez-Lezcano wrote:
> 
> > Why I think this is a yes. Any kernel that wants to use the realtime-lsm
> > will have to either not build the POSIX capabilities lsm, or build it as
> > a module. In the later case the system will be vulnerable. The
> > realtime-lsm does not depend on the POSIX capabilities lsm but it forces
> > you to build it as a module, 
> 
> I don't understand: Why does it do so? Shouldn't this be "fixed" in
> the realtime-lsm then?

Someone please correct me if I'm wrong, but it just looks like a case of a
simplistic check. It doesn't look like realtime-lsm really depends on
posix capabilities being compiled as a module, but on posix capabilities
not being compiled in. So I'm going to try this patch (it builds, we'll
see if it works fine, but I suspect it will):

diff -u /tmp/realtime-lsm-0.8.5/Makefile realtime-lsm-0.8.5/Makefile
--- /tmp/realtime-lsm-0.8.5/Makefile    2004-11-24 11:38:41.000000000 -0700
+++ realtime-lsm-0.8.5/Makefile 2004-12-30 08:22:58.000000000 -0700
@@ -20,7 +20,7 @@
        $(MAKE) modules -C $(KERNEL_DIR) SUBDIRS=$(shell pwd)
 
 config:
-       @if grep CONFIG_SECURITY_CAPABILITIES=m $(KERNEL_DIR)/.config; \
+       @if ! grep CONFIG_SECURITY_CAPABILITIES=y $(KERNEL_DIR)/.config; \
        then ln -sf $(KERNEL_DIR)/security/$(COMMONCAP) .; \
        else echo "Failed: Security Capabilities not configured as module"; \
             echo "Realtime LSM will not work with $(KERNEL_DIR)"; \

-- 
 .O.  Hans Fugal            | De gustibus non disputandum est.
 ..O  http://hans.fugal.net | Debian, vim, mutt, ruby, text, gpg
 OOO                        | WindowMaker, gaim, UTF-8, RISC, JS Bach
---------------------------------------------------------------------
GnuPG Fingerprint: 6940 87C5 6610 567F 1E95  CB5E FC98 E8CD E0AA D460
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.linuxaudio.org/pipermail/linux-audio-dev/attachments/20041230/87f2ccfe/attachment.pgp>

Previous message: [linux-audio-dev] LSM: Linux 2.6 Kernel Capability LSM Module Local Privilege Elevation
Next message: [linux-audio-dev] LSM: Linux 2.6 Kernel Capability LSM Module Local Privilege Elevation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Linux-audio-dev mailing list