From owner-freebsd-security Fri Feb 9 5:36:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 9A20437B846 for ; Fri, 9 Feb 2001 05:36:36 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id FAA04527; Fri, 9 Feb 2001 05:35:59 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda04525; Fri Feb 9 05:35:57 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f19DZqO59870; Fri, 9 Feb 2001 05:35:52 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdZ59868; Fri Feb 9 05:35:04 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.2/8.9.1) id f19DZ4684120; Fri, 9 Feb 2001 05:35:04 -0800 (PST) Message-Id: <200102091335.f19DZ4684120@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdV84116; Fri Feb 9 05:35:02 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: "David Beck" Cc: freebsd-security@FreeBSD.ORG Subject: Re: security improvement ? In-reply-to: Your message of "Thu, 08 Feb 2001 22:26:18 +0100." <002c01c09215$c7291220$5b3346c3@no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 09 Feb 2001 05:35:02 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <002c01c09215$c7291220$5b3346c3@no>, "David Beck" writes: > Hi, > > First of all, I would like to mention that this thing I describe here: > - is not for production use (!!!) > - have serious problems (look at the readme file) > - mainly for generating discussion about the idea > - might introduce security problems > > The idea here is to introduce further limitations for the usage of syscalls. > That is to say x process cannot call y syscall, and if he tries it log it > (somewhere). > This is like a user (root) configurable profile for a process for calling > syscalls. > > At the moment I wrote a simplified representation of the idea which can > limit the usage of the syscalls in a specfied jail. This was faster to do > and > shows what I think. > > http://dbeck.beckground.hu/download/scf-0.0.1.tar.gz > > I'm sure that the way it is implemented is bad and instead of writing > a kernel modul like this should make a patch for the kernel. I'm working > on the patch, but in the meantime I'm very much interested what the experts > say about this. You may also wish to take a look at Spy. http://people.freebsd.org/~abial/spy-1.0.tgz Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message