Re: security patch
From: Chris Wright
Date: Thu Sep 22 2005 - 15:52:36 EST
* breno@xxxxxxxxxxxxxxxx (breno@xxxxxxxxxxxxxxxx) wrote:
> I'm doing a new feature for linux kernel 2.6 to protect against all kinds of buffer
> overflow. It works with new sys_control() system call controling if a process can or can't
> call a system call ie. sys_execve();
This is insufficient to protect against buffer overflow. You are
re-inventing something that's been done multiple times. Each are
arguably more effective. Look at the seccomp option in current kernels.
Look also to policy enforcement via something expressive such as
SELinux.
> I think it can be an option in linux kernel.
We've got what we need in the kernel now.
thanks,
-chris
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/