Re: secure computing for 2.6.7

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Alexander Lyamin <flx@msu.ru>
To: Stephen Smalley <sds@epoch.ncsc.mil>
Cc: Hans Reiser <reiser@namesys.com>,
	andrea@cpushare.com, lkml <linux-kernel@vger.kernel.org>,
	Andrew Morton <akpm@osdl.org>
Subject: Re:  secure computing for 2.6.7
Date: Wed, 4 Aug 2004 01:02:39 +0400	[thread overview]
Message-ID: <20040803210239.GB7236@alias.nmd.msu.ru> (raw)
In-Reply-To: <1091536845.7645.60.camel@moss-spartans.epoch.ncsc.mil>

Tue, Aug 03, 2004 at 08:40:45AM -0400, Stephen Smalley wrote:
> On Wed, 2004-07-07 at 15:27, Hans Reiser wrote:
> > Am I right to think that this could complement nicely our plans 
> > described at www.namesys.com/blackbox_security.html
> Hi Hans,
> 
> Out of curiosity, what do you think that this proposal will achieve that
> cannot already be done via SELinux policy?  SELinux policy can already
> express access rules based not only on the executable and user, but even
> the entire call chain that led to a given executable.

convinience ? speed ?

RBAC is a Good Thing, but I wonder if it could provide throughout syntax analysis
for vfs related syscalls. As it is now.

At least what declared in their docs, fs-wise they are somewhat like this

Macro Name	Description
stat_file_perms	Permissions to call stat or access on a file.
x_file_perms	Permissions to execute a file.
r_file_perms	Permissions to read a file.
rx_file_perms	Permissions to read and execute a file.
rw_file_perms	Permissions to read and write a file.
ra_file_perms	Permissions to read and append to a file.
link_file_perms	Permissions to link, unlink, or rename a file.
create_file_perms	Permissions to create, access, and delete a file.
r_dir_perms	Permissions to read and search a directory.
rw_dir_perms	Permissions to read and modify a directory.
ra_dir_perms	Permissions to read and add entries to a directory.
create_dir_perms	Permissions to create, access, and delete a directory.
mount_fs_perms	Permissions to mount and unmount a filesystem.

*shrugs*
Well, I am probably wrong...

p.s. _AND_ if I remember correctly reiser4 supposed to provide finer-then-file grain security.
well, at least it easily could, being truly semantic-enabled fs.

-- 
"the liberation loophole will make it clear.."
lex lyamin

next prev parent reply	other threads:[~2004-08-03 21:02 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-07-04 17:39 secure computing for 2.6.7 andrea
2004-07-04 21:35 ` Andrew Morton
2004-07-04 23:32   ` andrea
2004-07-05  0:37     ` Phy Prabab
2004-10-12 14:24   ` Andrea Arcangeli
2004-10-12 15:32     ` Rik van Riel
2004-10-12 15:59       ` Andrea Arcangeli
2004-10-12 16:28         ` Rik van Riel
2004-10-12 17:46           ` Andrea Arcangeli
2004-10-12 18:04             ` Rik van Riel
2004-10-12 18:10             ` Rik van Riel
2004-10-12 18:29               ` Andrea Arcangeli
2004-07-07 19:27 ` Hans Reiser
2004-08-01 10:22   ` Andrea Arcangeli
2004-08-01 12:01     ` chris
2004-08-01 15:01       ` Andrea Arcangeli
2004-08-01 17:29         ` chris
2004-08-01 18:52           ` Bernd Eckenfels
2004-08-01 20:45           ` Alan Cox
2004-08-01 23:10             ` Andrea Arcangeli
2004-08-01 23:08               ` Alan Cox
2004-08-02 10:25                 ` Andrea Arcangeli
2004-08-01 23:06           ` Andrea Arcangeli
2004-08-02  6:52             ` David Wagner
2004-08-03 12:48         ` Stephen Smalley
2004-08-01 14:55     ` Bernd Eckenfels
2004-08-01 15:51       ` Andrea Arcangeli
2004-08-01 17:24         ` Bernd Eckenfels
2004-08-02  3:17         ` Horst von Brand
2004-08-02 16:31           ` Andrea Arcangeli
2004-08-03 12:40   ` Stephen Smalley
2004-08-03 21:02     ` Alexander Lyamin [this message]
2004-08-05 11:47       ` Stephen Smalley
2004-08-04  8:57     ` Hans Reiser
2004-08-05 11:48       ` Stephen Smalley
2004-08-07 23:20     ` Hans Reiser
2004-08-09 12:35       ` Stephen Smalley
     [not found] <2ejhQ-4lc-5@gated-at.bofh.it>
     [not found] ` <2fqhq-1RU-45@gated-at.bofh.it>
     [not found]   ` <2olLt-4wI-5@gated-at.bofh.it>
2004-08-02  0:05     ` Andi Kleen
2004-08-02 10:19       ` Andrea Arcangeli
2004-08-02 19:06         ` Rik van Riel
2004-08-02 21:35           ` Andrea Arcangeli
2004-08-04 13:18       ` V13

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20040803210239.GB7236@alias.nmd.msu.ru \
    --to=flx@msu.ru \
    --cc=akpm@osdl.org \
    --cc=andrea@cpushare.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=reiser@namesys.com \
    --cc=sds@epoch.ncsc.mil \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.