[grsec] question on cdrom access
spender at grsecurity.net
spender at grsecurity.net
Fri Aug 20 17:24:03 EDT 2004
> What could be the problem? Please help.
When the RBAC system is enabled, processes are unable to access block
devices if they lack CAP_SYS_RAWIO. Obviously, a non-root process lacks
that capability and is unable to access the device even if DAC
permissions grant it. Grsecurity already enforces the removal of
CAP_SYS_RAWIO and CAP_MKNOD as well as an object for /dev without read
and write in / subjects. So, the added restriction isn't really needed.
Since CAP_SYS_RAWIO and even more so CAP_MKNOD are rarely found granted
in subjected, perhaps the only thing needed for the removal of this
additional restriction is a warning whenever read or write is granted to
/dev to guard against foolish policies.
-Brad
More information about the grsecurity
mailing list