On Tue, May 13, 2003 at 02:17:49PM -0400, der Mouse wrote:
> >>> How would a cryptographic filesystem have helped any more than
> >>> simply changing the permissions on the binaries so that they were
> >>> executable but not readable?
> >> The kernel will have a key to decrypt binaries that are loaded from
> >> hard disk. so copying the encrypted binaries on another unix box
> >> will not allow them to be used.
> > That doesn't make any sense at all; if you can bypoass the kernel's
> > protection and copy executables that have executable but not read
> > permission, you can bypass the kernel's protection and decrypt and
> > copy the executables.
> 
> Only if you have the decryption key - or if the bypass method includes
> the decryption path.

The kernel has only a single domain of protection.  If you can bypass its
enforcement of filesystem permissions, you can bypass its control over
the purposes for which executables will be decrypted.