Date: Sun, 26 Mar 2000 19:23:38 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: Dag-Erling Smorgrav <des@flood.ping.uio.no> Cc: security@freebsd.org Subject: Re: Installing modules schg Message-ID: <Pine.NEB.3.96L.1000326190351.5755B-100000@fledge.watson.org> In-Reply-To: <xzpk8ipkg1a.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
I'd like to see people hold off on patches to introduce new schg files
until at least the following are discussed in full:
1) Is schg appropriate for all systems? Should use of schg be restricted
to ``USE_SCHG=yes''? What POLA crud are we going to introduce through
additional schg? Will we break upgrades, etc?
2) Are we adding schg to files in a methodical way, or slapping it on when
we think it might be appropriate? Is the goal to use securelevels, or
is the goal to limit the effects of root compromise, etc, etc? Does
adding schg to these files help? Is it enough?
I don't see that there's any point in introducing new administrative and
development hurdles unless we're sure we're going to get it right and have
a tangible useful result :-).
Before adding schg, I'd like to see a list of all files touched in any way
prior to raising the securelevel, particularly reads. The best way to
think about securelevel from a security-theoretic standpoint is that it is
a very narrow subset of a mandatory Biba integrity policy, with two
classes: kernel, and userland.
If the goal of securelevel is to improve recovery prospects given root
compromise, we have to ask ourselves if we even offer the recovery tools
to take advantage of securelevel effectively. If the goal is to provide a
clamped-down system, why not use jail? Securelevel offers a number of
useful possibilities, but it has long languished as other sections of the
system have been updated, and few people have implemented a production
system based on it.
So my recommendation is that this not be committed at this time.
Robert
On 26 Mar 2000, Dag-Erling Smorgrav wrote:
> Any objections to the following patch?
>
> Index: bsd.kmod.mk
> ===================================================================
> RCS file: /home/ncvs/src/share/mk/bsd.kmod.mk,v
> retrieving revision 1.75
> diff -u -r1.75 bsd.kmod.mk
> --- bsd.kmod.mk 2000/01/28 11:26:46 1.75
> +++ bsd.kmod.mk 2000/03/26 13:37:30
> @@ -203,7 +203,7 @@
> afterinstall:
> .endif
>
> -_INSTALLFLAGS:= ${INSTALLFLAGS}
> +_INSTALLFLAGS:= ${INSTALLFLAGS} -fschg
> .for ie in ${INSTALLFLAGS_EDIT}
> _INSTALLFLAGS:= ${_INSTALLFLAGS${ie}}
> .endfor
>
> DES
> --
> Dag-Erling Smorgrav - des@flood.ping.uio.no
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
Robert N M Watson
robert@fledge.watson.org http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1000326190351.5755B-100000>