Subject: Re: trusted BSD?
To: Daniel Carosone <firstname.lastname@example.org>
From: Elad Efrat <elad@NetBSD.org>
Date: 08/09/2005 06:41:37
Daniel Carosone wrote:
> If you consider the systrace policy to be a set of capabilities (ie,
> permitted syscalls), and the veriexec fingerprint of that to be the
> 'authorisation certificate' for that policy (ie, root declaring this
> policy is valid and allowed to make '.. permit as root' statements), I
> think you're a long way towards the goal.
It will probably be implemented as per-process bitmaps of capabilities.
> Agreed, but if that's the way to gain the capability you need...
> No, and that's an important aspect to round out the system, to ensure
> that (properly certified) systrace policies are the only way to gain
> the relevant capabilities. Consider a securelevel (or similar) above
> which no syscalls happen as root without systrace assistance.
I already have implemented this part. :)
> The area I see this model falling most short in at the moment isn't so
> much in the area of capabilities (expressed as above), or in the
> expressive power of those capabilities to describe a program's rights;
> it's in the area of credentials and applying capabilities to users
> like we can to programs. (Yes, we can test real uid in every
> program's systrace policy, but that's harder to manage than I'd like.)
Could be you're confusing between process capabilities and user
PGP Key ID: 0x666EB914