A few thoughts..
H. S.
security at revolutionsp.com
Tue Mar 29 14:41:21 PST 2005
> On Tue, Mar 29, 2005 at 03:12:25PM -0600, H. S. wrote:
>> This could be compared to what was done in FreeBSD lately, I remember in
>> 4.7 (and probably later, up to 4.10 I think) a user could see the full
>> connection lists (even connections from other users), only later the
>> kern.ps_showallprocs/security.bsd.see_other_uids took effect for these
>> matters too.
>
> It needs time to implement and actually process such checks.
I understand, and can only congratulate the freebsd developers for the
nice programming you've all gotten us used to. I can't code C enough to be
able to do anything really complex, however I do have a noction of how
much effort is put into stuff like this.
>
>> > Have a look at mac(3), mac(4) and mac.conf(5), it's not systrace but
>> you
>> > can achieve
>> > similar results.
>>
>> Systrace is much more complex than mac.
>
> That's a good one! It's actually quite the reverse, MAC is much more
> powerful than systrace, simply because it operates on a different
> level. You can do all this kind of checks with a MAC policy, if
> something does not have the necessary hooks, complain to Robert Watson :)
>
> Joerg
Hmm, I'll furthen my MAC knowledge then :-)
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
>
More information about the freebsd-hackers
mailing list