Date: Sun, 8 Jan 2012 09:53:38 -0800 From: Kees Cook <keescook@...omium.org> To: Matthew Wilcox <matthew@....cx> Cc: Andrew Morton <akpm@...ux-foundation.org>, linux-kernel@...r.kernel.org, Alexander Viro <viro@...iv.linux.org.uk>, Rik van Riel <riel@...hat.com>, Federica Teodori <federica.teodori@...glemail.com>, Lucian Adrian Grijincu <lucian.grijincu@...il.com>, Ingo Molnar <mingo@...e.hu>, Peter Zijlstra <a.p.zijlstra@...llo.nl>, Eric Paris <eparis@...hat.com>, Randy Dunlap <rdunlap@...otime.net>, Dan Rosenberg <drosenberg@...curity.com>, linux-doc@...r.kernel.org, linux-fsdevel@...r.kernel.org, kernel-hardening@...ts.openwall.com Subject: Re: [PATCH v2012.2] fs: symlink restrictions on sticky directories On Sun, Jan 8, 2012 at 3:44 AM, Matthew Wilcox <matthew@....cx> wrote: > On Sat, Jan 07, 2012 at 10:55:48AM -0800, Kees Cook wrote: >> v2012.2: >> - Change sysctl mode to 0600, suggested by Ingo Molnar. >> - Rework CONFIG logic to split code from default behavior. >> - Renamed sysctl to have a "sysctl_" prefix, suggested by Andrew Morton. > > All the sysctl / CONFIG logic seems very complex. Why not make it > a module parameter instead? It can be easily changed at boot time > (specify kernel.insecure_symlinks=1 on the kernel command line) and, > with a mode of 0600, can be modified at runtime too. Well, I'll still need a CONFIG for the code itself, and the normal way to tweak kernel operation is via sysctls, so I'd rather not switch to cmdline options. -Kees -- Kees Cook ChromeOS Security
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.