* Syed Ahemed (kingkhan@private) wrote: > Solution 2 > --------------- > a] LSM with SELINUX : what it does that LIDS[with/without LSM ] cant ? > Note : I haven't seen a debate LIDS VS SELINUX , maybe they aren't > alike at all.But we have a co-existence problem to solve too. For the purpose of your examples, consider LIDS and SELinux to have very similar properties. > b] Implement my own strncpy or strcpy with better length checking For user-space buffer overflow? Sure, it's always useful to carefully audit that kind of code. > c] Openwall patch is a part of base kernel will take care of > executable stack issue Base 2.6 has some support for NX stack. Also, you can look at exec-shield in Fedora kernels, or the SSP patch to gcc. Stopping the buffer overflow is fundamentally different from limiting that damage domain. Point is...there is no single silver bullet. Best solution is to employ best security practices at each relevant layer. thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
This archive was generated by hypermail 2.1.3 : Tue Jan 18 2005 - 15:03:39 PST