tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: FWIW: sysrestrict



On Thu, Jul 28, 2016 at 08:42:49PM +0200, Joerg Sonnenberger wrote:
> 
> The difference is that correctly configured veriexec is a system-wide
> property. It doesn't matter if you can exec something, you don't get to
> execute binaries that weren't signed. 
> 

Technically,  veriexec only runs files that have a valid fingerprint.
We don't, currently, have signing but that would be useful and probably
could be done now.  One thing that does seem to get overlooked a lot is
that you can mark a binary as being "indirect" which means that it is
allowed to be an interpreter for a shell script but cannot be invoked
direct on the command line.  So, if you marked /bin/sh as indirect then
all properly fingerprinted shell scripts would continue to function but
anyone trying to exec /bin/sh would be prevented from doing so.  This
would provide a bit of a speed hump for some script kiddies, the feature
is more intended to provide a way of permitting powerful scripting
languages (think perl and the like) without leaving the system wide open

(apologies for the following rubbish...)

-- 
Brett Lymn
This email has been sent on behalf of one of the following companies within the BAE Systems Australia group of companies:

    BAE Systems Australia Limited - Australian Company Number 008 423 005
    BAE Systems Australia Defence Pty Limited - Australian Company Number 006 870 846
    BAE Systems Australia Logistics Pty Limited - Australian Company Number 086 228 864

Our registered office is Evans Building, Taranaki Road, Edinburgh Parks,
Edinburgh, South Australia, 5111. If the identity of the sending company is
not clear from the content of this email please contact the sender.

This email and any attachments may contain confidential and legally
privileged information.  If you are not the intended recipient, do not copy or
disclose its content, but please reply to this email immediately and highlight
the error to the sender and then immediately delete the message.



Home | Main Index | Thread Index | Old Index