Date: Sun, 26 Mar 2000 19:23:38 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: Dag-Erling Smorgrav <des@flood.ping.uio.no> Cc: security@freebsd.org Subject: Re: Installing modules schg Message-ID: <Pine.NEB.3.96L.1000326190351.5755B-100000@fledge.watson.org> In-Reply-To: <xzpk8ipkg1a.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
I'd like to see people hold off on patches to introduce new schg files until at least the following are discussed in full: 1) Is schg appropriate for all systems? Should use of schg be restricted to ``USE_SCHG=yes''? What POLA crud are we going to introduce through additional schg? Will we break upgrades, etc? 2) Are we adding schg to files in a methodical way, or slapping it on when we think it might be appropriate? Is the goal to use securelevels, or is the goal to limit the effects of root compromise, etc, etc? Does adding schg to these files help? Is it enough? I don't see that there's any point in introducing new administrative and development hurdles unless we're sure we're going to get it right and have a tangible useful result :-). Before adding schg, I'd like to see a list of all files touched in any way prior to raising the securelevel, particularly reads. The best way to think about securelevel from a security-theoretic standpoint is that it is a very narrow subset of a mandatory Biba integrity policy, with two classes: kernel, and userland. If the goal of securelevel is to improve recovery prospects given root compromise, we have to ask ourselves if we even offer the recovery tools to take advantage of securelevel effectively. If the goal is to provide a clamped-down system, why not use jail? Securelevel offers a number of useful possibilities, but it has long languished as other sections of the system have been updated, and few people have implemented a production system based on it. So my recommendation is that this not be committed at this time. Robert On 26 Mar 2000, Dag-Erling Smorgrav wrote: > Any objections to the following patch? > > Index: bsd.kmod.mk > =================================================================== > RCS file: /home/ncvs/src/share/mk/bsd.kmod.mk,v > retrieving revision 1.75 > diff -u -r1.75 bsd.kmod.mk > --- bsd.kmod.mk 2000/01/28 11:26:46 1.75 > +++ bsd.kmod.mk 2000/03/26 13:37:30 > @@ -203,7 +203,7 @@ > afterinstall: > .endif > > -_INSTALLFLAGS:= ${INSTALLFLAGS} > +_INSTALLFLAGS:= ${INSTALLFLAGS} -fschg > .for ie in ${INSTALLFLAGS_EDIT} > _INSTALLFLAGS:= ${_INSTALLFLAGS${ie}} > .endfor > > DES > -- > Dag-Erling Smorgrav - des@flood.ping.uio.no > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1000326190351.5755B-100000>