Skip to content

Commit

Permalink
Secure boot: Add new capability
Browse files Browse the repository at this point in the history 
Secure boot adds certain policy requirements, including that root must not
be able to do anything that could cause the kernel to execute arbitrary code.
The simplest way to handle this would seem to be to add a new capability
and gate various functionality on that. We'll then strip it from the initial
capability set if required.

Signed-off-by: Matthew Garrett <mjg@redhat.com>
Acked-by: Lee, Chun-Yi <jlee@suse.com>
  • Loading branch information
@joeyli
Matthew Garrett authored and joeyli committed Aug 1, 2013
1 parent aad91f4 commit f713b5e
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion include/uapi/linux/capability.h
View file
Expand Up @@ -343,7 +343,11 @@ struct vfs_cap_data {

#define CAP_BLOCK_SUSPEND 36

#define CAP_LAST_CAP CAP_BLOCK_SUSPEND
/* Allow things that trivially permit root to modify the running kernel */

#define CAP_COMPROMISE_KERNEL 37

#define CAP_LAST_CAP CAP_COMPROMISE_KERNEL

#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)

Expand Down

0 comments on commit f713b5e

Please sign in to comment.