Final (hopefully) privilege escalation policy draft
Richard W.M. Jones
rjones at redhat.com
Thu Feb 11 13:32:17 UTC 2010
On Wed, Feb 10, 2010 at 05:19:59PM -0500, Tony Nelson wrote:
> On 10-02-10 15:48:39, Adam Williamson wrote:
> > Hi, all. So the privilege escalation policy went to FESco, who
> > suggested some minor tweaks and a final run-by the mailing lists
> > before it gets approved.
> > I have now adjusted the draft -
> > https://fedoraproject.org/wiki/User:Adamwill/
> > Draft_Fedora_privilege_escalation_policy
> > - to reflect all feedback from this list and from FESco. It will be
> > reviewed again by FESco next week. Please raise any potential issues
> > or further suggestions for adjustments before then. Of course, even
> > if the policy is accepted by FESCo it will not be set in stone and
> > changes and exceptions can be added in future as appropriate, but I'd
> > like to have it as good as possible at first :) thanks all!
> "Directly read or write directly to or from system memory" has an extra
> (or out of order) "directly".
It's also going to be tricky to run any programs if they can't access
the memory in the system. Can the definition be tightened up --
eg. "kernel memory and memory-mapped devices" or "memory other than
userspace pages allocated to the current user"?
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into Xen guests.
More information about the devel