Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S262018AbVANQX5 (ORCPT ); Fri, 14 Jan 2005 11:23:57 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S262019AbVANQX5 (ORCPT ); Fri, 14 Jan 2005 11:23:57 -0500 Received: from facesaver.epoch.ncsc.mil ([144.51.25.10]:40346 "EHLO epoch.ncsc.mil") by vger.kernel.org with ESMTP id S262018AbVANQX4 (ORCPT ); Fri, 14 Jan 2005 11:23:56 -0500 Subject: Re: thoughts on kernel security issues From: Stephen Smalley To: Linus Torvalds Cc: Horst von Brand , Alan Cox , Christoph Hellwig , Dave Jones , Andrew Morton , marcelo.tosatti@cyclades.com, Greg KH , Chris Wright , Linux Kernel Mailing List In-Reply-To: <1105718220.26366.90.camel@moss-spartans.epoch.ncsc.mil> References: <200501141239.j0ECdaRj005677@laptop11.inf.utfsm.cl> <1105718220.26366.90.camel@moss-spartans.epoch.ncsc.mil> Content-Type: text/plain Organization: National Security Agency Message-Id: <1105719442.26366.96.camel@moss-spartans.epoch.ncsc.mil> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 (1.4.6-2) Date: Fri, 14 Jan 2005 11:17:22 -0500 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 962 Lines: 22 On Fri, 2005-01-14 at 10:57, Stephen Smalley wrote: > Just FYI, SELinux does apply checking via the security hooks in mmap and > mprotect, and can be used to prevent a process from executing anything > it can write via policy. > > The TPE security module recently posted to lkml by Lorenzo also tries to > prevent untrusted users/groups from executing anything outside of > 'trusted paths', likewise using the security hooks in mmap and mprotect. More generally, you should be able to easily implement the checking you describe as a new LSM or even as part of the capability security module, without requiring any change to the core kernel code. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/