Date: Thu, 24 Jul 2008 09:39:36 -0700 (PDT) From: Matthew Dillon <dillon@apollo.backplane.com> To: Robert Watson <rwatson@freebsd.org> Cc: Kostik Belousov <kostikbel@gmail.com>, Liste FreeBSD-security <freebsd-security@freebsd.org>, Lyndon Nerenberg <lyndon@orthanc.ca> Subject: Re: A new kind of security needed Message-ID: <200807241639.m6OGda4b004216@apollo.backplane.com> References: <f383264b0807161710m285ed915m8ea9d088fbe83df9@mail.gmail.com> <alpine.BSF.1.00.0807162303490.34772@treehorn.dfmm.org> <884CB541-7977-4EF1-9B72-7226BDF30188@patpro.net> <20080717085136.B87887@fledge.watson.org> <05661513-E0DA-4B33-BD4E-FCF73943F332@orthanc.ca> <20080724090549.G63347@fledge.watson.org> <20080724085910.GG97161@deviant.kiev.zoral.com.ua> <20080724100439.D63347@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Doesn't OpenBSD have a syscall filtering mechanic where one can restrict the file paths the program is allowed to access? What I would like to see is the ability to just wrap an application with a few process-tracked control directives which restricts what portion of the filesystem and kernel namespace the program (and all its children)" can then access. So, e.g. something like: #!/bin/csh # pmac $$ << EOF restrict all allow-read ~/.firefox /usr/pkg/bin allow-read /etc allow-write ~/.firefox ~/download allow-connect <path_to_X11_socket> <<<<<< ok that probably would be allow-connect named a gaping hole, but... exec firefox ... EOF It seems to me it would be fairly simple filter to make. The problem with using different usernames, jails, chroots... the problem with all of that is that they are not fine-grained mechanisms and it is seriously inconvenient to set up on an application-by-application basis. -Matt Matthew Dillon <dillon@backplane.com>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200807241639.m6OGda4b004216>