Subject: Re: trusted BSD?
To: None <email@example.com>
From: Elad Efrat <elad@NetBSD.org>
Date: 08/08/2005 18:20:22
Thor Lancelot Simon wrote:
> On Sun, Aug 07, 2005 at 09:50:37PM -0700, Simon Gerraty wrote:
>>I'm actually looking at using verified exec to associate capabilities
>>with certain apps - I'm already doing that now in a crude manner.
>>It avoids needing to implement extended attributes, and since I
>>digitally sign the manifest that verified exec is loaded from, I can
>>trust the association.
> I think this is the wrong way to go. I think that it would be much better
> to associate systrace policies with executables using verified exec, as
> we discussed some months ago -- and this avoids adding another bag on the
> side of the system that largely duplicates what systrace can do.
I believe the idea of having capabilities was to enable a ``fast path''
for more than just allow/deny. I certainly don't like the idea of having
two systems that do the same, but I'm now in the process of thinking how
would be the best way (IMHO) to implement it.
It's important to remember that for systrace to be useful, you have to
run the program through it. At the moment we have no way to enforce that
yet. We also might want to supply default policies for some programs
PGP Key ID: 0x666EB914