[rsbac] MAC: request MODIFY_SYSTEM_DATA, target NETDEV

Javier J. Martínez Cabezón tazok.id0 at gmail.com
Thu Jan 15 16:47:17 CET 2009

PaX developer doesn't seem to trust very much in it:

2009/1/15 Amon Ott <ao en rsbac.org>:
> Am Dunnersdag 15 Januor 2009 schrieb Javier J. Martínez Cabezón:
>> why DAZ in a linux desktop?, I thought that DAZ were useful for
>> example in mail servers. Do you consider malware a treat in (even) a
>> standard linux?.
>> I think that DAZ imposes a too high overhead to a desktop system, I
>> would not switch it on.
> We use it to check files before they get transferred to Windows clients.
>> The problem in his setup I think is X-org, xorg has CAP_SYS_RAWIO and
>> if rsbac can't control which addresses in /dev/mem can't it reach I
>> think that not setup is useful. Have we something like grsecurity that
>> only memory video could it be reach?
> The standard 2.6 kernel has such restrictions on board:
> Kernel Hacking -> Filter Access to /dev/mem
> I strongly recommend to turn that on, even if only X can access /dev/mem with
> RSBAC. :)
> Amon.
> --
> http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
> _______________________________________________
> rsbac mailing list
> rsbac en rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac

More information about the rsbac mailing list