Removal of the kernel code/data/bss resources does break kexec/kdump

Linus Torvalds torvalds at
Tue Apr 19 09:20:37 PDT 2016

On Tue, Apr 19, 2016 at 2:04 AM, Dave Young <dyoung at> wrote:
> It is not clear how to handle it, maybe we can assume nobody is using it as
> non-root, leave it as is or just add |CAP_SYS_BOOT for /proc/iomem?

Pretty much nobody uses fine-grained capabilities anyway - they are
one of those bad security things that generally add more complexity
than value(*) - so I wouldn't worry about it unless you actually find
something that cares.


(*) The one exception tends to be certain network services that can
use CAP_NET_BIND_SERVICE like things to really lower their attack
surface. But certainly not one-time things like kexec.

More information about the kexec mailing list