Re: thoughts on kernel security issues

From: Stephen Smalley
Date: Fri Jan 14 2005 - 11:25:15 EST

Next message: Tigran Aivazian: "booting a kernel compiled with -mregparm=0"
Previous message: Stephen Smalley: "Re: thoughts on kernel security issues"
In reply to: Stephen Smalley: "Re: thoughts on kernel security issues"
Next in thread: Alan Cox: "Re: thoughts on kernel security issues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2005-01-14 at 10:57, Stephen Smalley wrote:
> Just FYI, SELinux does apply checking via the security hooks in mmap and
> mprotect, and can be used to prevent a process from executing anything
> it can write via policy.
>
> The TPE security module recently posted to lkml by Lorenzo also tries to
> prevent untrusted users/groups from executing anything outside of
> 'trusted paths', likewise using the security hooks in mmap and mprotect.

More generally, you should be able to easily implement the checking you
describe as a new LSM or even as part of the capability security module,
without requiring any change to the core kernel code.

--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Tigran Aivazian: "booting a kernel compiled with -mregparm=0"
Previous message: Stephen Smalley: "Re: thoughts on kernel security issues"
In reply to: Stephen Smalley: "Re: thoughts on kernel security issues"
Next in thread: Alan Cox: "Re: thoughts on kernel security issues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]