Date: Fri, 09 Feb 2001 05:35:02 -0800 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: "David Beck" <dbeck@beckground.hu> Cc: freebsd-security@FreeBSD.ORG Subject: Re: security improvement ? Message-ID: <200102091335.f19DZ4684120@cwsys.cwsent.com> In-Reply-To: Your message of "Thu, 08 Feb 2001 22:26:18 %2B0100." <002c01c09215$c7291220$5b3346c3@no>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <002c01c09215$c7291220$5b3346c3@no>, "David Beck" writes: > Hi, > > First of all, I would like to mention that this thing I describe here: > - is not for production use (!!!) > - have serious problems (look at the readme file) > - mainly for generating discussion about the idea > - might introduce security problems > > The idea here is to introduce further limitations for the usage of syscalls. > That is to say x process cannot call y syscall, and if he tries it log it > (somewhere). > This is like a user (root) configurable profile for a process for calling > syscalls. > > At the moment I wrote a simplified representation of the idea which can > limit the usage of the syscalls in a specfied jail. This was faster to do > and > shows what I think. > > http://dbeck.beckground.hu/download/scf-0.0.1.tar.gz > > I'm sure that the way it is implemented is bad and instead of writing > a kernel modul like this should make a patch for the kernel. I'm working > on the patch, but in the meantime I'm very much interested what the experts > say about this. You may also wish to take a look at Spy. http://people.freebsd.org/~abial/spy-1.0.tgz Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102091335.f19DZ4684120>