From owner-freebsd-security Sun Jun 20 1: 3:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 955EE15237 for ; Sun, 20 Jun 1999 01:03:40 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id KAA12514; Sun, 20 Jun 1999 10:02:46 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Darren Reed Cc: ncb@zip.com.au, brian@CSUA.Berkeley.EDU, freebsd-security@FreeBSD.ORG Subject: Re: proposed secure-level 4 patch In-reply-to: Your message of "Sun, 20 Jun 1999 17:35:33 +1000." <199906200735.RAA06817@cheops.anu.edu.au> Date: Sun, 20 Jun 1999 10:02:46 +0200 Message-ID: <12512.929865766@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199906200735.RAA06817@cheops.anu.edu.au>, Darren Reed writes: >> I actually thought of that at one point: You load a bunch of approved >> md5 sums into the kernel, set a flag and then only binaries which >> are on the list can be executed. Trouble is that shared libs needs >> to be checked too and they're handled in userland. Of cource static >> binaries could be made mandatory. > >Sounds just like what's under development for NetBSD right now. Maybe >you should wait until it's complete there and then import it ? It's below rank #50 on my TODO list, so unless they're very incompetent there is no doubt they'll get to it before me :-) -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message