A new kind of security needed
Matthew Dillon
dillon at apollo.backplane.com
Thu Jul 24 16:51:46 UTC 2008
Doesn't OpenBSD have a syscall filtering mechanic where one can restrict
the file paths the program is allowed to access?
What I would like to see is the ability to just wrap an application
with a few process-tracked control directives which restricts what
portion of the filesystem and kernel namespace the program (and all
its children)" can then access. So, e.g. something like:
#!/bin/csh
#
pmac $$ << EOF
restrict all
allow-read ~/.firefox /usr/pkg/bin
allow-read /etc
allow-write ~/.firefox ~/download
allow-connect <path_to_X11_socket> <<<<<< ok that probably would be
allow-connect named
a gaping hole, but...
exec firefox ...
EOF
It seems to me it would be fairly simple filter to make.
The problem with using different usernames, jails, chroots... the
problem with all of that is that they are not fine-grained mechanisms
and it is seriously inconvenient to set up on an application-by-application
basis.
-Matt
Matthew Dillon
<dillon at backplane.com>
More information about the freebsd-security
mailing list