On Tue, 2004-12-28 at 23:36 -0800, Fernando Lopez-Lezcano wrote:
Any kernel that wants to use the realtime-lsm
will have to either not build the POSIX capabilities lsm, or build it as
a module. In the later case the system will be vulnerable. The
realtime-lsm does not depend on the POSIX capabilities lsm but it forces
you to build it as a module, exposing the vulnerability, which maybe I
misunderstood as not being present if you build with the POSIX lsm into
the kernel (as opposed to building it as a module).
I do understand that loading the realtime lsm only does not create a
vulnerability (other than well known possibilities of DOS attacks by
mean linux audio users :-)
OK, that is a clearer explanation than mine ;-)
Anyway the kernel folks don't seem worried.
Lee