Subject: Turn CONFIG_STRICT_DEVMEM in sysctl dev.mem.restricted
Newsgroups: gmane.linux.kernel.cross-arch, gmane.linux.kernel, gmane.linux.kernel.crash-dump.crash-utility
Date: 2008-11-16 14:47:45 GMT (3 years, 25 weeks, 6 days, 7 hours and 26 minutes ago)
This patch series turns CONFIG_STRICT_DEVMEM in a sysctl dev.mem.restricted. While the restricted /dev/mem is useful in most scenarios, it is not when doing live debugging. The crash utility (http://people.redhat.com/~anderson) needs access to /dev/mem. As distributor (at least for "enterprise" distributions) you need both: The protection in the general case and the ability to do live debugging. The patch doesn't make the kernel more insecure: Without SELinux or AppArmor, it has always been possible to circumvent that /dev/mem restriction. With it, you can also prevent the (super) user from doing "sysctl dev.mem.restricted=1". This patch series differs in two ways from the original submission: - The patch that removes CONFIG_STRICT_DEVMEM has been added. - The binary sysctl is removed, now it's only a /proc/sys sysctl. While the original submission of CONFIG_STRICT_DEVMEM mentions that the option has been in RHEL and Fedora for 4 years without problems, that's only a half of the story. The truth is that at least RHEL has /dev/crash exactly to circumvent that /dev/mem restriction. Don't tell me that this is better than having that sysctl entry.The patch has been tested on i386. There should be no difference to x86_64. Signed-off-by: Bernhard Walle <bwalle <at> suse.de>