Bug#389282: linux-2.6: Make BSD secure levels depend on CONFIG_BROKEN

[maximilian attems <maks@sternwelten.at>]

On Sat, Sep 30, 2006 at 07:13:41PM +0200, Moritz Muehlenhoff wrote:
> maximilian attems wrote:
> > On Mon, Sep 25, 2006 at 12:24:33AM +0200, Moritz Muehlenhoff wrote:
> > > 
> > > The LSM for BSD secure levels is broken by design and unmaintained.
> > > (CVE-2005-4351 and CVE-2005-4252). It's scheduled for removal
> > > upstream (http://lkml.org/lkml/2006/8/2/180), but hasn't been dropped
> > > yet in 2.6.18.
> > > 
> > > While it's not enabled in the binary builds, it's selectable for
> > > users building their own kernels. Attached you can find a patch
> > > to make this LSM depend on BROKEN.
> > 
> > plese send that upstream, afaik it's disabled in any current sid/testing
> > linux-image.
> 
> Yes, but if it's in the source package, users expect support for it.

not much support, we as d-kernel team don't actively support hand-build
kernels, they are _usualy_ out of date and often you find strange
.config choices.
 
> I wrote this patch because it's the least intrusive. If it gets removed
> in the 2.6.19 merge window would you accept it or would you instead merge a
> patch that removes the code entirely?

it is removed in the current tree of linus,
i'll push that patch into svn for the next 2.6.18.
i agree that we don't need it.
 
> Cheers,
>         Moritz

while talking about security stuff, i'd like to see the fedora
patches that close the /dev/{k,}mem barn door pushed upstream.
afaik newer xorg no longer needs to poke randomly in there.

best regards

-- 
maks