RE: Secure-linux and standard kernel

Amsden, Zachary (amsdenz@aavid.com)
Thu, 25 Jun 1998 14:11:19 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Myrdraal: "Re: [PATCH]: Runtime enable/disable magic sysrq against 2.1.107pre1."
Previous message: Thomas Quinot: "Re: 2.1.107: logo ???"

> -----Original Message-----
> From: Mitchell Blank Jr [SMTP:mitch@execpc.com]
> The real fix will come in 2.3 when ext2 can interface with the
> capabilities
> stuff. Until then, this will help things. Coming up with an ugly
> kludge
> (different startup code, different ld.so, etc) is just a distraction
> from
> real goals like:
>
> 1. Making sure the startup code and ld.so are bullet-proof. If this
> isn't
> the case the system isn't going to be secure worth a damn anyway.
> Avoiding the problem for a few binaries by writing an alternate
> loader
> only results in there being more of this code around to audit.
>
> 2. Working towards the filesystem set-capability stuff as mentioned
> above.
>
> -Mitch
Why does ext2 need to know anything about capabilities?
The loader could set capabilities for the binary even
before running any code. There is no need for extra
flags in the filesystem, it would be easier IMHO to add
a new section to the ELF file, like .cap or something.
ld should have no problem linking in this special
section, and gcc has the ability to emit inline asm in
arbitrary sections of a binary, so programs needing
these features could just have a line like:
asm(".section .cap" ".long CAPS_REQUIRED");
It would be very easy to do this with some handy macro
defs. This solution is backwards compatible as well.

Zach Amsden
amsden@andrew.cmu.edu

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu

Next message: Myrdraal: "Re: [PATCH]: Runtime enable/disable magic sysrq against 2.1.107pre1."
Previous message: Thomas Quinot: "Re: 2.1.107: logo ???"