On Wed, 2013-09-04 at 20:52 -0700, H. Peter Anvin wrote: > On 09/03/2013 04:50 PM, Matthew Garrett wrote: > > IO port access would permit users to gain access to PCI configuration > > registers, which in turn (on a lot of hardware) give access to MMIO register > > space. This would potentially permit root to trigger arbitrary DMA, so lock > > it down by default. > > > > Signed-off-by: Matthew Garrett <matthew.garr...@nebula.com> > > Seriously... just deny CAP_SYS_RAWIO to any system in secure mode.
No. CAP_SYS_RAWIO blocks things that we don't want blocked (x86 microcode updates, various disk ioctls, *device firmware uploads* and a few others) - the semantics just don't match. We could relax those permissions, but then we'd potentially break someone else's security considerations. -- Matthew Garrett <matthew.garr...@nebula.com> N�����r��y����b�X��ǧv�^�){.n�+����{����zX����ܨ}���Ơz�&j:+v�������zZ+��+zf���h���~����i���z��w���?�����&�)ߢf��^jǫy�m��@A�a��� 0��h���i