I was actually working with the 0.8.5 tarball outside of the kernel. There doesn't seem to be any problem with SECURITY_CAPABILITIES=n when using the realtime-lsm 2.6.10 patch. (Again, I built but didn't reboot to test)
On Thu, 30 Dec 2004 at 10:20 -0600, Jack O'Quin wrote: > Hans Fugal <[EMAIL PROTECTED]> writes: > > > On Wed, 29 Dec 2004 at 11:07 +0100, Frank Barknecht wrote: > >> Hallo, > >> Fernando Lopez-Lezcano hat gesagt: // Fernando Lopez-Lezcano wrote: > >> > >> > Why I think this is a yes. Any kernel that wants to use the realtime-lsm > >> > will have to either not build the POSIX capabilities lsm, or build it as > >> > a module. In the later case the system will be vulnerable. The > >> > realtime-lsm does not depend on the POSIX capabilities lsm but it forces > >> > you to build it as a module, > >> > >> I don't understand: Why does it do so? Shouldn't this be "fixed" in > >> the realtime-lsm then? > > Actually, the bug is not in either. The "fix" is in security/dummy.c. > > > Someone please correct me if I'm wrong, but it just looks like a case of a > > simplistic check. It doesn't look like realtime-lsm really depends on > > posix capabilities being compiled as a module, but on posix capabilities > > not being compiled in. So I'm going to try this patch (it builds, we'll > > see if it works fine, but I suspect it will): > > The actual source code is in security/Kconfig... > > config SECURITY_REALTIME > tristate "Realtime Capabilities" > depends on SECURITY && SECURITY_CAPABILITIES!=y > default n > help > This module selectively grants realtime privileges > controlled by parameters set at load time or via files in > /sys/module/realtime/parameters. > > If you are unsure how to answer this question, answer N. > > The reason for this check is that realtime-lsm does not work when the > capability LSM is installed built-in (i.e. not as a module). I am not > a wizard at Kconfig. Perhaps someone more skilled in this area can > explain what to do. Note that capability is not needed when realtime > is installed. > -- > joq > -- .O. Hans Fugal | De gustibus non disputandum est. ..O http://hans.fugal.net | Debian, vim, mutt, ruby, text, gpg OOO | WindowMaker, gaim, UTF-8, RISC, JS Bach --------------------------------------------------------------------- GnuPG Fingerprint: 6940 87C5 6610 567F 1E95 CB5E FC98 E8CD E0AA D460
signature.asc
Description: Digital signature