Hi Felipe, El jue, 06-01-2005 a las 19:00 +0100, Felipe Alfaro Solana escribió: > On 6 Jan 2005, at 15:50, Lorenzo Hernández García-Hierro wrote: > > >> The two biggest issues are 1) it's trivial to bypass: > >> $ /lib/ld.so /untrusted/path/to/program > >> and 2) that there's no (visible/vocal) user base calling for the > >> feature. > > > > About the point 1), yesterday i wrote just a simple regression test > > (that can be found at the same place as the patch) and of course it > > bypasses, this is an old commented problem, Stephen suggested the use > > of > > the mmap and mprotect hooks, so, i will have a look at them but i'm not > > sure on how to (really) prevent the dirty,old trick. > > About 2), just give it a chance, maybe it's useful and my work is not > > completely nonsense. > > Well, I'm not a visible/vocal user base, but I do really like this TPE > LSM module. Thanks :) I hope you will like much more the revision i'm coding right now. Tonight, my queue is a bit overloaded, i need to fix some things in the SELinux 2.4 backport, but i hope i will finish it today as it doesn't require a lot of time. Cheers, -- Lorenzo Hernández García-Hierro <lorenzo@private> [1024D/6F2B2DEC] [2048g/9AE91A22] Hardened Debian head developer & project manager
This archive was generated by hypermail 2.1.3 : Thu Jan 06 2005 - 12:53:47 PST