Re: [PATCH 0/7] procfs privacy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2005-04-18 at 22:18 +0200, Lorenzo Hernández García-Hierro
wrote:
> For this purpose I (re)submitted a patch originally made by Serge E.
> Hallyn that adds a hook in order to catch task lookups, thus, providing
> an easy way to handle and determine when a task can lookup'ed.
> 
> It's at:
> http://pearls.tuxedo-es.org/patches/lsm/lsm-task_lookup-hook.patch
> 
> vSecurity currently provides support for it (optional).
> 
> SELinux policy can handle in a much more fine-grained these
> restrictions, just that it's still something that not all people can
> deploy without some special effort and "tweak up" (if their system
> doesn't provide support for it, of course, currently Red Hat has done a
> great job in that terms).

To be precise, SELinux assigns security labels to /proc inodes
(/proc/pid inodes are labeled based on the associated task label, and
other /proc inodes are labeled based on the policy configuration), and
controls access based on the policy.  It can e.g. prevent a process in
one security domain from accessing anything under /proc/<pid> for a
process in a different domain, but not from seeing the top-level entry
in /proc itself (as it doesn't do any kind of directory filtering).

-- 
Stephen Smalley <[email protected]>
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux