Re: security patch
From: Valdis . Kletnieks
Date: Thu Sep 22 2005 - 15:04:13 EST
On Thu, 22 Sep 2005 19:44:33 -0000, breno@xxxxxxxxxxxxxxxx said:
> I'm doing a new feature for linux kernel 2.6 to protect against all kinds of buffer
> overflow. It works with new sys_control() system call controling if a process can or can't
> call a system call ie. sys_execve();
This has been done before. ;)
Also, note *VERY* carefully that this does *NOT* protect against buffer overflow
the way ExecShield and PAX and similar do - this merely tries to mitigate the
damage.
Note that you probably don't *DARE* remove open()/read()/write()/close() from
the "permitted syscall" list - and an attacker can have plenty of fun just with
those 4 syscalls.
(That's also why SELinux was designed to give better granularity to syscalls - it
can restrict a program to "write only to files it *should* be able to write").
Attachment:
pgp00000.pgp
Description: PGP signature