Am 26.03.2009 um 16:58 schrieb Christos Zoulas:
Because it provides a false sense of security like the apperture driver for X. If a security measure can be circumvented it is not very useful. In this case it is trivial to use a multi-threaded program to exploit TOCTOU, and circumvent systrace. It is even documented in the original systrace paper. Until someone makes changes so that the system call arguments are saved in kernel space first before systrace inspection as the paper suggests, it is not very useful.
systrace can be used for more than improving security: For example limiting programs from doing stuff you don't want. Additionally, everything that improves security is a good thing. There is no such thing as perfect security, so every single bit that increases it is good.
If you fear that it would give false impressions of security to the users, just don't have it in the default kernel config, like you had before. Those who actually recompile their kernel to get systrace really know what they're doing pretty.
-- Jonathan
Attachment:
PGP.sig
Description: Signierter Teil der Nachricht