> lcap CAP_SYS_MODULE CAP_SYS_RAWIO Thanks for the input. Two points:
1. I coming at this problem as a laptop user so pcmcia modules must remain and be loadable and unloadable at will - as far as I know, there is no direct way to compile pcmcia modules directly into the kernel like the other drivers. 2. What if /dev/mem access was determined at kernel compile time as an option? I'm not familiar with lcap, but I assume it disables access to /dev/mem without breaking anything, so why not make this risky access optional at kernel level? > i suggest installing all security updates immediatly when they arrive > and vigilent sysadmin. those will keep your box uncompromised better > then anything (except turning it off). Concurred, however, I prefer proactive rather than reactive. The danger of undisclosed exploits always leaves this area of doubt. If the expoilt cannot happen in the first place, a whole generation of exploits is eliminated at once. -------------- Sjarn Valkhoff
