Subject: Re: trusted BSD?
To: Elad Efrat <elad@NetBSD.org>
From: Simon Gerraty <email@example.com>
Date: 08/08/2005 11:12:39
>I believe the idea of having capabilities was to enable a ``fast path''
I don't consider capabilities as a fast path - rather something that can
be enforced - especially if capabilities associated with files are
loaded via veriexec.
>It's important to remember that for systrace to be useful, you have to
>run the program through it. At the moment we have no way to enforce that
>yet. We also might want to supply default policies for some programs
This is my big problem. I need to make convincing arguments to
evaluation agencies to show that the system cannot run except in a
I'd rather have ping etc as normal binaries that can be run by normal
users and magically still be able to open raw sockets - capabilities
meets that requirement handily. More importantly, when run by the
super-user, all capabilities other than that to open raw sockets
should be dropped during exec.
Otherwise you may just have a false sense of security.