[EMAIL PROTECTED] wrote:
On 26 Apr 2006 at 10:01, Joshua Brindle wrote:
This is no flamewar. The model is broken by my standards. It bypasses
built-in DAC and capabilities in the kernel making it the single attack
vector to gain all access on the system. Compare to grsecurity, rsbac,
selinux which do not bypass kernel access control or escalate privileges.
it'd help the discussion/review (which is what Andrea asked for) if
you/others were more precise and cited specific attacks. generic hand-
waving of 'this is broken' doesn't help it. this is not to say that
i disagree with your opinion (fwiw, you and spender are on the same
side for once ;-).
I don't agree that specific attack vectors are required to determine
whether a model is broken. The reasons I think the model is broken are
pretty clearly laid out in the url's posted. There are also others for
this specific implementation. It is a dire problem to facilitate
non-security aware/minded users to add rules to the policy dynamically.
"If I don't push yes this won't work", these systems have been shown
time and time again to fail. And, like I already said, bypassing
in-kernel DAC and capability restrictions means that there is now a
single attack vector to gain all system privileges. This means systrace
actually *removes* a layer of security from the system, which is clearly
a bad idea.
http://securityblog.org/brindle/2006/03/25/security-anti-pattern-status-quo-encapsulation/
http://securityblog.org/brindle/2006/04/19/security-anti-pattern-path-based-access-control/
it's funny that you mention these as i just came across them and was
going to post a rebuttal to many of your claims. do you want them here
on the list or on the blog (it will probably take a few days until i
have enough free time though)?
On the blog is fine. Remember that those posts aren't targeting specific
implementations (eg., grsec is not affected by all of the issues listed)
but rather the model in general.
--
gentoo-security@gentoo.org mailing list
