| Anyway, the kernel could never provide you with ultimate security without
| sacrificing all functionality. Once they get in, they will get root and
| once they have root you have lost, you need to have a system without a
| root user and with nobody having capabilities to do things like load
| modules, etc... There are so many local exploits that you would lose
| for sure. If the attacker cannot write to raw device, he will unmount and
| then write to it or he will load a module to send commands to your HD at
| ATAPI or SCSI level and kill your hd that way...
Couldn't you run something like LIDS? This can be used to lock permissions
down so that root can't unmount filesystems, write to raw devices, etc.
Matt
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/