Re: dirjail module

From: Chris Wright (chrisw@private)
Date: Tue Nov 11 2003 - 20:06:15 PST

Next message: Valdis.Kletnieks@private: "Re: dirjail module"

Previous message: Serge E. Hallyn: "Re: dirjail module"
In reply to: Serge E. Hallyn: "Re: dirjail module"
Next in thread: Valdis.Kletnieks@private: "Re: dirjail module"
Next in thread: Valdis.Kletnieks@private: "Re: dirjail module"
Reply: Valdis.Kletnieks@private: "Re: dirjail module"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Serge E. Hallyn (hallyn@private) wrote:
> > file has b0rked many a set-UID program. (yes, this is still a problem with
> > enough software that the grsecurity patch includes a 'force 0/1/2 to /dev/null
> > if not open' section).

Hrm, never knew "in grsecurity patch" meant "addresses widespread security
issue" ;-)

> That behavior might well be worth emulating.
> (or implementing as part of another lsm?)

Actually, it's in owlsm.  It's also part of glibc (see
__libc_check_standard_fds), so Solar took it out of the Openwall patchset.
One could argue that it's dead code.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

Next message: Valdis.Kletnieks@private: "Re: dirjail module"
Previous message: Serge E. Hallyn: "Re: dirjail module"
In reply to: Serge E. Hallyn: "Re: dirjail module"
Next in thread: Valdis.Kletnieks@private: "Re: dirjail module"
Next in thread: Valdis.Kletnieks@private: "Re: dirjail module"
Reply: Valdis.Kletnieks@private: "Re: dirjail module"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Nov 11 2003 - 20:07:11 PST