Date: Tue, 29 Mar 2005 23:28:10 +0200 From: Joerg Sonnenberger <joerg@britannica.bec.de> To: freebsd-hackers@freebsd.org Subject: Re: A few thoughts.. Message-ID: <20050329212810.GB3199@britannica.bec.de> In-Reply-To: <62208.81.84.174.37.1112130745.squirrel@mail.revolutionsp.com> References: <61910.81.84.174.37.1112123946.squirrel@mail.revolutionsp.com> <20050329213528.59dab2e2.flynn@energyhq.es.eu.org> <62208.81.84.174.37.1112130745.squirrel@mail.revolutionsp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 29, 2005 at 03:12:25PM -0600, H. S. wrote: > This could be compared to what was done in FreeBSD lately, I remember in > 4.7 (and probably later, up to 4.10 I think) a user could see the full > connection lists (even connections from other users), only later the > kern.ps_showallprocs/security.bsd.see_other_uids took effect for these > matters too. It needs time to implement and actually process such checks. > > Have a look at mac(3), mac(4) and mac.conf(5), it's not systrace but you > > can achieve > > similar results. > > Systrace is much more complex than mac. That's a good one! It's actually quite the reverse, MAC is much more powerful than systrace, simply because it operates on a different level. You can do all this kind of checks with a MAC policy, if something does not have the necessary hooks, complain to Robert Watson :) Joerg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050329212810.GB3199>