Re: thoughts on kernel security issues

From: Stephen Smalley
Date: Fri Jan 14 2005 - 11:06:57 EST

Next message: Stephen Smalley: "Re: thoughts on kernel security issues"
Previous message: Arjan van de Ven: "Re: thoughts on kernel security issues"
In reply to: Arjan van de Ven: "Re: thoughts on kernel security issues"
Next in thread: Stephen Smalley: "Re: thoughts on kernel security issues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2005-01-14 at 10:45, Linus Torvalds wrote:
> (or just add a security hook there - it's not like this couldn't be a
> SELinux thing..)
>
> And no, this doesn't trap mprotect(), but that's not the point. The point
> of this is not to make it impossible to execute code on purpose by some
> existing binary - it's to make it impossible for some people to compile or
> download their own binaries.

Just FYI, SELinux does apply checking via the security hooks in mmap and
mprotect, and can be used to prevent a process from executing anything
it can write via policy.

The TPE security module recently posted to lkml by Lorenzo also tries to
prevent untrusted users/groups from executing anything outside of
'trusted paths', likewise using the security hooks in mmap and mprotect.

--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Stephen Smalley: "Re: thoughts on kernel security issues"
Previous message: Arjan van de Ven: "Re: thoughts on kernel security issues"
In reply to: Arjan van de Ven: "Re: thoughts on kernel security issues"
Next in thread: Stephen Smalley: "Re: thoughts on kernel security issues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]