Re: security patch

From: Valdis . Kletnieks
Date: Thu Sep 22 2005 - 15:04:13 EST

Next message: Peter Staubach: "Re: [NFS] Re: [PATCH] repair nfsd/sunrpc in 2.6.14-rc2-mm1 (and other-mm versions)"
Previous message: Andrew Morton: "Re: 2.6.14-rc1-git-now still dying in mm/slab - this time line 1849"
In reply to: breno: "security patch"
Next in thread: Zan Lynx: "Re: security patch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 22 Sep 2005 19:44:33 -0000, breno@xxxxxxxxxxxxxxxx said:

> I'm doing a new feature for linux kernel 2.6 to protect against all kinds of buffer
> overflow. It works with new sys_control() system call controling if a process can or can't
> call a system call ie. sys_execve();

This has been done before. ;)

Also, note *VERY* carefully that this does *NOT* protect against buffer overflow
the way ExecShield and PAX and similar do - this merely tries to mitigate the
damage.

Note that you probably don't *DARE* remove open()/read()/write()/close() from
the "permitted syscall" list - and an attacker can have plenty of fun just with
those 4 syscalls.

(That's also why SELinux was designed to give better granularity to syscalls - it
can restrict a program to "write only to files it *should* be able to write").

Attachment: pgp00000.pgp
Description: PGP signature

Next message: Peter Staubach: "Re: [NFS] Re: [PATCH] repair nfsd/sunrpc in 2.6.14-rc2-mm1 (and other-mm versions)"
Previous message: Andrew Morton: "Re: 2.6.14-rc1-git-now still dying in mm/slab - this time line 1849"
In reply to: breno: "security patch"
Next in thread: Zan Lynx: "Re: security patch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]