From owner-freebsd-security Thu Dec 30 8:40:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id C5A1E15162 for ; Thu, 30 Dec 1999 08:40:45 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id LAA66905; Thu, 30 Dec 1999 11:40:28 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Thu, 30 Dec 1999 11:40:28 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: -=ArkanoiD=- Cc: freebsd-security@freebsd.org Subject: Re: http://www.intes.odessa.ua/vxe In-Reply-To: <199912301135.OAA12144@paranoid.eltex.spb.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Have you looked at the TIS Labs Wrappers toolkit? It allows you to specify custom policies for processes based on syscall masks and argument management. It's been a while since I've looked at this work, but my understanding is you can specify general policies to manage processes, quite effectively. Also, the jail() environment provides far more extensive (almost) virtual machine protection for chroot() processes, and is available in -CURRENT. Shortly, capability and ACL extensions will be available providing similar fine-grained access control support on FreeBSD, allowing you to eliminate concentrations of privileges (such as uid 0 having no extra privileges). Syscall mask mechanisms such as the one you pointed us to can work, but are in some sense a hack -- given the vast number of ways to potentially attack such a mechanism, you'd have to be very careful. Robert Watson On Thu, 30 Dec 1999, -=ArkanoiD=- wrote: > > Linux only for now, but not a bad idea.. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message