This patch series turns CONFIG_STRICT_DEVMEM in a sysctl
dev.mem.restricted.
While the restricted /dev/mem is useful in most scenarios, it is not
when doing live debugging. The crash utility
(
http://people.redhat.com/~anderson) needs access to /dev/mem.
As distributor (at least for "enterprise" distributions) you need both:
The protection in the general case and the ability to do live debugging.
The patch doesn't make the kernel more insecure: Without SELinux or
AppArmor, it has always been possible to circumvent that /dev/mem
restriction. With it, you can also prevent the (super) user from doing
"sysctl dev.mem.restricted=1".
This patch series differs in two ways from the original submission:
- The patch that removes CONFIG_STRICT_DEVMEM has been added.
- The binary sysctl is removed, now it's only a /proc/sys sysctl.
While the original submission of CONFIG_STRICT_DEVMEM mentions that the
option has been in RHEL and Fedora for 4 years without problems, that's
only a half of the story. The truth is that at least RHEL has /dev/crash
exactly to circumvent that /dev/mem restriction. Don't tell me that this
is better than having that sysctl entry. ;-)
The patch has been tested on i386. There should be no difference to
x86_64.
Signed-off-by: Bernhard Walle <bwalle(a)suse.de>