Date: Thu, 24 Jul 2008 09:39:36 -0700 (PDT) From: Matthew Dillon <dillon@apollo.backplane.com> To: Robert Watson <rwatson@freebsd.org> Cc: Kostik Belousov <kostikbel@gmail.com>, Liste FreeBSD-security <freebsd-security@freebsd.org>, Lyndon Nerenberg <lyndon@orthanc.ca> Subject: Re: A new kind of security needed Message-ID: <200807241639.m6OGda4b004216@apollo.backplane.com> References: <f383264b0807161710m285ed915m8ea9d088fbe83df9@mail.gmail.com> <alpine.BSF.1.00.0807162303490.34772@treehorn.dfmm.org> <884CB541-7977-4EF1-9B72-7226BDF30188@patpro.net> <20080717085136.B87887@fledge.watson.org> <05661513-E0DA-4B33-BD4E-FCF73943F332@orthanc.ca> <20080724090549.G63347@fledge.watson.org> <20080724085910.GG97161@deviant.kiev.zoral.com.ua> <20080724100439.D63347@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Doesn't OpenBSD have a syscall filtering mechanic where one can restrict
the file paths the program is allowed to access?
What I would like to see is the ability to just wrap an application
with a few process-tracked control directives which restricts what
portion of the filesystem and kernel namespace the program (and all
its children)" can then access. So, e.g. something like:
#!/bin/csh
#
pmac $$ << EOF
restrict all
allow-read ~/.firefox /usr/pkg/bin
allow-read /etc
allow-write ~/.firefox ~/download
allow-connect <path_to_X11_socket> <<<<<< ok that probably would be
allow-connect named
a gaping hole, but...
exec firefox ...
EOF
It seems to me it would be fairly simple filter to make.
The problem with using different usernames, jails, chroots... the
problem with all of that is that they are not fine-grained mechanisms
and it is seriously inconvenient to set up on an application-by-application
basis.
-Matt
Matthew Dillon
<dillon@backplane.com>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200807241639.m6OGda4b004216>