[rsbac] questions..
Michal Purzynski
albeiro at polsl.gliwice.pl
Mon May 9 11:37:30 CEST 2005
On 9 maj, 2005, at 10:28, Andrea Pasquinucci wrote:
> Sorry for a few other dumb questions:
>
> 1. Does it make sense to build a kernel with the following modules:
> PAX, RES, CAP, DAZ, FF (JAIL ?)
> notice that AUTH is missing
>
AUTH should be mandatory as it makes sure nobody can forge uids and
gids. Without it attacker gaining root could easily bypass protection
by switching to security officer uid and do whatever he like.
>
> 2. for RES, I guess that most dimensions are Bytes even if it is not
> written in the help
>
> 'fsize' "Size limit for each file."
> 'memlock' "Limit on locked-in-memory address space."
> 'as' "Address space (virtual memory) limit."
>
> whereas
>
> 'data' "Process data segment size limit in bytes."
> 'stack' "Process stack size limit in bytes."
> 'core' "Core dump size limit in bytes."
> 'rss' "Max resident set size in bytes."
As i remember they are in bytes, right.
> 3. About JAIL, Amon says often to use JAIL without chroot to protect
> users when using for example firefox/mozilla ecc. Is it possible to set
> this by using attr_set_fd (or similar), or one must start the program
> with rsbac_jail ? Is this in case a new feature which could be added?
Just use rsbac_jail with necesary switches, that's the only way to put
program into jail.
It could be rather tricky to implement with attr_set_fd this way, but
here only Amon can answer correctly. It would require some way to first
setting up jail adn than assigning it to application.
> Moreover, what will happen if I would run firefox under jail with no
> chroot? for example, could I still use plugins or helpers (like xpdf,
> realplay, mplayer ecc. ?
Plugins should be working without problem, in case some JAIL is very
configurable.
Michal Purzynski <Albeiro>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 824 bytes
Desc: This is a digitally signed message part
Url : http://rsbac.dyndns.org/pipermail/rsbac/attachments/20050509/3bcc8cc1/PGP.bin
More information about the rsbac
mailing list