[rsbac] questions..

Michal Purzynski albeiro at polsl.gliwice.pl
Mon May 9 11:37:30 CEST 2005

On 9 maj, 2005, at 10:28, Andrea Pasquinucci wrote:

> Sorry for a few other dumb questions:
> 1. Does it make sense to build a kernel with the following modules:
>      PAX, RES, CAP, DAZ, FF (JAIL ?)
> notice that AUTH is missing
AUTH should be mandatory as it makes sure nobody can forge uids and 
gids. Without it attacker gaining root could easily bypass protection 
by switching to security officer uid and do whatever he like.
> 2. for RES, I guess that most dimensions are Bytes even if it is not
> written in the help
>   'fsize' "Size limit for each file."
>   'memlock' "Limit on locked-in-memory address space."
>   'as' "Address space (virtual memory) limit."
> whereas
>   'data' "Process data segment size limit in bytes."
>   'stack' "Process stack size limit in bytes."
>   'core' "Core dump size limit in bytes."
>   'rss' "Max resident set size in bytes."
As i remember they are in bytes, right.

> 3. About JAIL, Amon says often to use JAIL without chroot to protect
> users when using for example firefox/mozilla ecc. Is it possible to set
> this by using attr_set_fd (or similar), or one must start the program
> with rsbac_jail ? Is this in case a new feature which could be added?

Just use rsbac_jail with necesary switches, that's the only way to put 
program into jail.
It could be rather tricky to implement with attr_set_fd this way, but 
here only Amon can answer correctly. It would require some way to first 
setting up jail adn than assigning it to application.

> Moreover, what will happen if I would run firefox under jail with no
> chroot? for example, could I still use plugins or helpers (like xpdf,
> realplay, mplayer ecc. ?

Plugins should be working without problem, in case some JAIL is very 

Michal Purzynski <Albeiro>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 824 bytes
Desc: This is a digitally signed message part
Url : http://rsbac.dyndns.org/pipermail/rsbac/attachments/20050509/3bcc8cc1/PGP.bin

More information about the rsbac mailing list