Date: Thu, 30 Dec 1999 11:40:28 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: -=ArkanoiD=- <ark@eltex.ru> Cc: freebsd-security@freebsd.org Subject: Re: http://www.intes.odessa.ua/vxe Message-ID: <Pine.BSF.3.96.991230113649.66882A-100000@fledge.watson.org> In-Reply-To: <199912301135.OAA12144@paranoid.eltex.spb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Have you looked at the TIS Labs Wrappers toolkit? It allows you to specify custom policies for processes based on syscall masks and argument management. It's been a while since I've looked at this work, but my understanding is you can specify general policies to manage processes, quite effectively. Also, the jail() environment provides far more extensive (almost) virtual machine protection for chroot() processes, and is available in -CURRENT. Shortly, capability and ACL extensions will be available providing similar fine-grained access control support on FreeBSD, allowing you to eliminate concentrations of privileges (such as uid 0 having no extra privileges). Syscall mask mechanisms such as the one you pointed us to can work, but are in some sense a hack -- given the vast number of ways to potentially attack such a mechanism, you'd have to be very careful. Robert Watson On Thu, 30 Dec 1999, -=ArkanoiD=- wrote: > > Linux only for now, but not a bad idea.. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.991230113649.66882A-100000>