Re: [PATCH 2/2] ACPI: Override arbitrary ACPI tables via initrd for debugging

Early cpio decoder and ACPI table override via initrd making use of it · Thomas Renninger <hidden> · 2012-09-21
[PATCH 1/2] lib: Add early cpio decoder · Thomas Renninger <hidden> · 2012-09-21
[PATCH 2/2] ACPI: Override arbitrary ACPI tables via initrd for debugging · Thomas Renninger <hidden> · 2012-09-21
Re: [PATCH 2/2] ACPI: Override arbitrary ACPI tables via initrd for debugging · Yinghai Lu <yinghai@kernel.org> · 2012-09-21
Re: [PATCH 2/2] ACPI: Override arbitrary ACPI tables via initrd for debugging · Thomas Renninger <hidden> · 2012-09-25
Re: [PATCH 2/2] ACPI: Override arbitrary ACPI tables via initrd for debugging · Len Brown <lenb@kernel.org> · 2012-09-22
Re: [PATCH 2/2] ACPI: Override arbitrary ACPI tables via initrd for debugging · Thomas Renninger <hidden> · 2012-09-23
Re: [PATCH 2/2] ACPI: Override arbitrary ACPI tables via initrd for debugging · Len Brown <lenb@kernel.org> · 2012-09-23
Re: [PATCH 2/2] ACPI: Override arbitrary ACPI tables via initrd for debugging · Thomas Renninger <hidden> · 2012-09-24
Re: [PATCH 2/2] ACPI: Override arbitrary ACPI tables via initrd for debugging · Alan Cox <hidden> · 2012-09-24
[PATCH] ACPI: Only allow users with CAP_SYS_RAWIO rights to overwrite ACPI funcs at runtime · Thomas Renninger <hidden> · 2012-09-25
Re: [PATCH 2/2] ACPI: Override arbitrary ACPI tables via initrd for debugging · Matthew Garrett <mjg59@srcf.ucam.org> · 2012-09-24
Re: [PATCH 2/2] ACPI: Override arbitrary ACPI tables via initrd for debugging · "H. Peter Anvin" <hpa@zytor.com> · 2012-09-24

From: Alan Cox <hidden>
Date: 2012-09-24 09:17:26
Also in: lkml

The issue is/was, that root can inject code at runtime which is then
executed in kernel environment.

Yes there are lots of other ways to do this too. The constraint we use
for it is CAP_SYS_RAWIO. With that capability you can totally do raw
hardware access and the like so requiring it for runtime ACPI updating
and execution is consistent with the security model.

Afaik there are "security" provisions or say setups, which do
hide modprobe/insmod and do not allow root to load any kernel drivers 
or similar.

To do this you have to revoke CAP_SYS_RAWIO.

Alan

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help