Rule set based access control (rsbac) for linux

headers Javier Juan Martínez Cabezón | 8 Oct 2011 00:36

Hi

I think it would be a good idea to split the MAP_EXEC request into two
requests, MAP_EXEC to EXEC only mappings and MAP_WRITE to write only
mappings, with this I think we could get W or X or mprotect pax facility
implemented in RC or ACL as requests fully integrated. In case both required
every one could grant both (java and a few ones more..., nothing important
though)

I think every PROT_EXEC rights should be granted only to every T_FILE
targets, and PROT_WRITE to T_NONE. I think changes wouldn't be so heavy,
don't you think?.

from mprotect.c:

MAP_EXEC||MAP_WRITE
 #ifdef CONFIG_RSBAC
 317                 if ((prot & PROT_EXEC) && !(vma->vm_flags & PROT_EXEC))
{
 318                         rsbac_pr_debug(aef, "calling ADF\n");
 319                         if (vma->vm_file) {
 320                                 rsbac_target = T_FILE;
 321                                 rsbac_target_id.file.device =
vma->vm_file->f_dentry->d_inode->i_sb->s_dev;
 322                                 rsbac_target_id.file.inode =
vma->vm_file->f_dentry->d_inode->i_ino;
 323                                 rsbac_target_id.file.dentry_p =
vma->vm_file->f_dentry;
 324                         } else {
 325                                 rsbac_target = T_NONE;

Mon	Tue	Wed	Thu	Fri	Sat	Sun

					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30
31

14	May 2013
6	April 2013
5	March 2013
14	February 2013
2	January 2013
8	December 2012
4	November 2012
10	October 2012
2	September 2012
8	August 2012
18	July 2012
7	June 2012
7	May 2012
17	April 2012
31	March 2012
6	February 2012
3	January 2012
2	December 2011
18	November 2011
6	October 2011
1	September 2011
17	August 2011
11	July 2011
13	June 2011
6	May 2011
1	April 2011
8	March 2011
14	February 2011
10	January 2011
3	December 2010
3	November 2010
2	October 2010
8	August 2010
2	July 2010
3	May 2010
27	April 2010
7	March 2010
8	February 2010
1	January 2010
10	December 2009
6	November 2009
15	October 2009
22	September 2009
15	August 2009
6	June 2009
8	May 2009
14	April 2009
1	March 2009
8	February 2009
70	January 2009
13	December 2008
37	November 2008
12	October 2008
4	September 2008
3	August 2008
11	July 2008
13	June 2008
1	May 2008
5	February 2008
2	January 2008
3	December 2007
12	November 2007
9	October 2007
20	September 2007
13	August 2007
36	July 2007
13	June 2007
34	May 2007
30	April 2007
12	March 2007
8	February 2007
10	January 2007
10	December 2006
11	November 2006
10	October 2006
28	September 2006
44	August 2006
56	July 2006
37	June 2006
8	May 2006
23	April 2006
27	March 2006
21	February 2006
36	January 2006
15	December 2005
15	November 2005
18	October 2005
30	September 2005
25	August 2005
58	July 2005
39	June 2005
37	May 2005
27	April 2005
39	March 2005
58	February 2005
43	January 2005
20	December 2004
21	November 2004
42	October 2004
21	September 2004
48	August 2004
28	July 2004
59	June 2004
46	May 2004
48	April 2004
57	March 2004
28	February 2004
27	January 2004
60	December 2003
36	November 2003
59	October 2003
63	September 2003
23	August 2003

PROT_EXEC PROT_WRITE

jail

Re: jail

Re: jail

Re: jail

Re: jail