DragonFly BSD
DragonFly kernel List (threaded) for 2003-08
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: Buffer overflow?


From: Richard Coleman <richardcoleman@xxxxxxxxxxxxxx>
Date: Fri, 01 Aug 2003 16:49:04 -0400

Matthew Dillon wrote:
    Well, I am neutral on the topic.  I generally consider these
    sorts of security fixes as masking the problem rather then
    fixing it.  What I would like to see (and another reason for
    doing the VFS layer and syscall emulation) is a way to limit
    a program's ability to manipulate its environment to just
    the files that we say it can access/modify.  Also, the ability
    to wrap a program with another program which takes control of
    its syscalls (another reason for doing syscall messaging).

    As an extreme example take a program like 'ls'.  There is
    no reason under the sun for the system to allow a program
    like 'ls' to exec(), yet nearly all UNIX systems do allow
    this.  You get the drift of where I'm going...

The key is to make this all doable in userland. Restricting
these sorts of features to the kernel greatly reduces the
number of people who can potentially develop code up related projects.

Aren't these exactly the reason that people added Mandatory Access Controls (MAC)? It sounds like you want a user space version of MAC's.


Also "systrace" does something similar. I know that OpenBSD has this.

Richard Coleman
richardcoleman@xxxxxxxxxxxxxx




[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]