On Mon 2011-05-16 10:36:05, James Morris wrote: > On Fri, 13 May 2011, Ingo Molnar wrote: > How do you reason about the behavior of the system as a whole? > > > > I argue that this is the LSM and audit subsystems designed right: in the long > > run it could allow everything that LSM does at the moment - and so much more > > ... > > Now you're proposing a redesign of the security subsystem. That's a > significant undertaking. > > In the meantime, we have a simple, well-defined enhancement to seccomp > which will be very useful to current users in reducing their kernel attack > surface. Well, you can do the same with subterfugue, even without kernel changes. But that's ptrace -- slow. (And it already shows that syscall based filters are extremely tricky to configure). If yu want speed, seccomp+server for non-permitted operations seems like reasonable way. -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
