Date: Thu, 22 Aug 2002 19:06:10 -0700 (PDT) From: Brian Buchanan <bwb@holo.org> To: freebsd-security@FreeBSD.ORG Subject: Re: kern/22142: securelevel does not affect mount Message-ID: <20020822185704.Y87847-100000@thought.holo.org> In-Reply-To: <200208230144.g7N1itTB030484@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I agree with this in principle. I've already applied a similar patch to the kernel running on my firewall at home. This machine boots off compact flash media and all of its r/w filesystems are MFS, mounted noexec, nodev (with the exception of /dev, of course). With the securelevel raised, I can be reasonably certain that the compact flash's filesystem cannot be tampered with (or inadvertantly changed for any reason). The machine can be power-cycled at any time to restore it to a known state. And as a bonus, any exploits which depend on writing an executable to the filesystem cannot work. My main concern is continuing to add restrictions to the one-dimensional securelevel scheme. Though I suppose this is something which MAC will soon allow us to solve. - Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020822185704.Y87847-100000>