> The issue is/was, that root can inject code at runtime which is then > executed in kernel environment.
Yes there are lots of other ways to do this too. The constraint we use for it is CAP_SYS_RAWIO. With that capability you can totally do raw hardware access and the like so requiring it for runtime ACPI updating and execution is consistent with the security model. > Afaik there are "security" provisions or say setups, which do > hide modprobe/insmod and do not allow root to load any kernel drivers > or similar. To do this you have to revoke CAP_SYS_RAWIO. Alan -- To unsubscribe from this list: send the line "unsubscribe initramfs" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
