[rsbac] MAC: request MODIFY_SYSTEM_DATA, target NETDEV
Javier J. Martínez Cabezón
tazok.id0 at gmail.com
Thu Jan 15 17:13:02 CET 2009
I started one mail-thread about the restrictions of /dev/mem, I will
continue there.
2009/1/15 Javier J. Martínez Cabezón <tazok.id0 en gmail.com>:
> PaX developer doesn't seem to trust very much in it:
> http://archives.gentoo.org/gentoo-hardened/msg_7f2f9778ecc682c622be1ac7c97600fe.xml
> :-S
>
> 2009/1/15 Amon Ott <ao en rsbac.org>:
>> Am Dunnersdag 15 Januor 2009 schrieb Javier J. Martínez Cabezón:
>>> why DAZ in a linux desktop?, I thought that DAZ were useful for
>>> example in mail servers. Do you consider malware a treat in (even) a
>>> standard linux?.
>>> I think that DAZ imposes a too high overhead to a desktop system, I
>>> would not switch it on.
>>
>> We use it to check files before they get transferred to Windows clients.
>>
>>> The problem in his setup I think is X-org, xorg has CAP_SYS_RAWIO and
>>> if rsbac can't control which addresses in /dev/mem can't it reach I
>>> think that not setup is useful. Have we something like grsecurity that
>>> only memory video could it be reach?
>>
>> The standard 2.6 kernel has such restrictions on board:
>>
>> Kernel Hacking -> Filter Access to /dev/mem
>>
>> I strongly recommend to turn that on, even if only X can access /dev/mem with
>> RSBAC. :)
>>
>> Amon.
>> --
>> http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
>> _______________________________________________
>> rsbac mailing list
>> rsbac en rsbac.org
>> http://www.rsbac.org/mailman/listinfo/rsbac
>>
>
More information about the rsbac
mailing list