Quoting Tetsuo Handa ([EMAIL PROTECTED]):
> Hello.
>
> Serge E. Hallyn wrote:
> > > Does a process get different mount trees by just calling clone() or
> > > unshare()?
> > > My understanding is that clone() or unshare() disables propergation of
> > > mount tree changes when somebody calls
--- [EMAIL PROTECTED] wrote:
> I'm pretty sure that most of the security community agrees on what "correct"
> means - the disagreement is in the most cost-effective way to *create* one.
Struth. (I'm practicing my Australian, it's gotten rusty)
I say that the the only rational way to create a
Hello.
Serge E. Hallyn wrote:
> > Does a process get different mount trees by just calling clone() or
> > unshare()?
> > My understanding is that clone() or unshare() disables propergation of
> > mount tree changes when somebody calls mount() or umount() or pivot_root().
>
> Yes, with further
Quoting Tetsuo Handa ([EMAIL PROTECTED]):
> Hello.
>
> Serge E. Hallyn wrote:
> > > > > * namespace manipulation. (i.e. mount()/umount()/pivot_root())
> > > >
> > > > do you track mounts namespace cloning?
> > > >
> > > Yes. TOMOYO can recognize mount operation with the following flags.
> > >
Quoting Tetsuo Handa ([EMAIL PROTECTED]):
Hello.
Serge E. Hallyn wrote:
* namespace manipulation. (i.e. mount()/umount()/pivot_root())
do you track mounts namespace cloning?
Yes. TOMOYO can recognize mount operation with the following flags.
--bind --move
Hello.
Serge E. Hallyn wrote:
Does a process get different mount trees by just calling clone() or
unshare()?
My understanding is that clone() or unshare() disables propergation of
mount tree changes when somebody calls mount() or umount() or pivot_root().
Yes, with further propagation
--- [EMAIL PROTECTED] wrote:
I'm pretty sure that most of the security community agrees on what correct
means - the disagreement is in the most cost-effective way to *create* one.
Struth. (I'm practicing my Australian, it's gotten rusty)
I say that the the only rational way to create a
Quoting Tetsuo Handa ([EMAIL PROTECTED]):
Hello.
Serge E. Hallyn wrote:
Does a process get different mount trees by just calling clone() or
unshare()?
My understanding is that clone() or unshare() disables propergation of
mount tree changes when somebody calls mount() or umount()
On Sun, 30 Dec 2007 14:29:50 +0900, Tetsuo Handa said:
> Use of "learning mode" is independent from "correct policy".
My point *exactly*.
> The "learning mode" merely takes your duty of appending permissions to policy.
> We can develop and share procedures for how to exercise infrequently used
Hello.
[EMAIL PROTECTED] wrote:
> Please make a *big* notation someplace that "learning mode" is quite likely to
> *not* produce a totally correct policy. In particular, it won't build rules
> for
> infrequently used code paths (such as error handling) unless you find a way to
> exercise those
On Fri 2007-12-28 12:23:51, [EMAIL PROTECTED] wrote:
> On Fri, 28 Dec 2007 23:32:09 +0900, Tetsuo Handa said:
>
> > You can run your system with only policy collected by learning mode.
> > Thus, you basically don't need manual intervention.
> > But since there are randomly named files (i.e.
On Fri 2007-12-28 12:23:51, [EMAIL PROTECTED] wrote:
On Fri, 28 Dec 2007 23:32:09 +0900, Tetsuo Handa said:
You can run your system with only policy collected by learning mode.
Thus, you basically don't need manual intervention.
But since there are randomly named files (i.e. temporary
Hello.
[EMAIL PROTECTED] wrote:
Please make a *big* notation someplace that learning mode is quite likely to
*not* produce a totally correct policy. In particular, it won't build rules
for
infrequently used code paths (such as error handling) unless you find a way to
exercise those paths
On Sun, 30 Dec 2007 14:29:50 +0900, Tetsuo Handa said:
Use of learning mode is independent from correct policy.
My point *exactly*.
The learning mode merely takes your duty of appending permissions to policy.
We can develop and share procedures for how to exercise infrequently used code
Hello.
Serge E. Hallyn wrote:
> > > > * namespace manipulation. (i.e. mount()/umount()/pivot_root())
> > >
> > > do you track mounts namespace cloning?
> > >
> > Yes. TOMOYO can recognize mount operation with the following flags.
> >
> > --bind --move --remount
> > --make-unbindable
On Fri, 28 Dec 2007 23:32:09 +0900, Tetsuo Handa said:
> You can run your system with only policy collected by learning mode.
> Thus, you basically don't need manual intervention.
> But since there are randomly named files (i.e. temporary files),
> you pay a little time to modify policy.
>
> The
Quoting Tetsuo Handa ([EMAIL PROTECTED]):
> Hello.
>
>
> Serge E. Hallyn wrote:
> > Auto-learning in itself doesn't seem novel, but so you're saying it's
> > novel in ust how integrated it is - no mnual intervention necessary?
>
> You can run your system with only policy collected by learning
Hello.
Serge E. Hallyn wrote:
> Auto-learning in itself doesn't seem novel, but so you're saying it's
> novel in ust how integrated it is - no mnual intervention necessary?
You can run your system with only policy collected by learning mode.
Thus, you basically don't need manual intervention.
Hello.
Serge E. Hallyn wrote:
Auto-learning in itself doesn't seem novel, but so you're saying it's
novel in ust how integrated it is - no mnual intervention necessary?
You can run your system with only policy collected by learning mode.
Thus, you basically don't need manual intervention.
But
Quoting Tetsuo Handa ([EMAIL PROTECTED]):
Hello.
Serge E. Hallyn wrote:
Auto-learning in itself doesn't seem novel, but so you're saying it's
novel in ust how integrated it is - no mnual intervention necessary?
You can run your system with only policy collected by learning mode.
On Fri, 28 Dec 2007 23:32:09 +0900, Tetsuo Handa said:
You can run your system with only policy collected by learning mode.
Thus, you basically don't need manual intervention.
But since there are randomly named files (i.e. temporary files),
you pay a little time to modify policy.
The
Hello.
Serge E. Hallyn wrote:
* namespace manipulation. (i.e. mount()/umount()/pivot_root())
do you track mounts namespace cloning?
Yes. TOMOYO can recognize mount operation with the following flags.
--bind --move --remount
--make-unbindable --make-private
Quoting Tetsuo Handa ([EMAIL PROTECTED]):
> Hello.
>
> Thank you for feedback.
>
> Serge E. Hallyn wrote:
> > > TOMOYO Linux is a DIY tool for understanding and protecting your system.
> > > TOMOYO Linux policy definitions are absolutely readable to Linux users,
> > > and
> > > TOMOYO Linux
Hello.
Thank you for feedback.
Serge E. Hallyn wrote:
> > TOMOYO Linux is a DIY tool for understanding and protecting your system.
> > TOMOYO Linux policy definitions are absolutely readable to Linux users, and
> > TOMOYO Linux supports unique policy learning mechanism which automatically
>
>
Quoting Tetsuo Handa ([EMAIL PROTECTED]):
Hello.
Thank you for feedback.
Serge E. Hallyn wrote:
TOMOYO Linux is a DIY tool for understanding and protecting your system.
TOMOYO Linux policy definitions are absolutely readable to Linux users,
and
TOMOYO Linux supports unique
Hello.
Thank you for feedback.
Serge E. Hallyn wrote:
TOMOYO Linux is a DIY tool for understanding and protecting your system.
TOMOYO Linux policy definitions are absolutely readable to Linux users, and
TOMOYO Linux supports unique policy learning mechanism which automatically
Are they
oting can be done by users.
> We put some TOMOYO Linux policy examples on our web site.
>
> http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/etch/domain_policy.conf?v=policy-sample
>
> 2. TOMOYO Linux Security Goal
This section seems to me to be the most important one, and could
examples on our web site.
http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/etch/domain_policy.conf?v=policy-sample
2. TOMOYO Linux Security Goal
This section seems to me to be the most important one, and could really
use a little more detail.
The TOMOYO Linux's security goal is to provide MAC
/domain_policy.conf?v=policy-sample
2. TOMOYO Linux Security Goal
The TOMOYO Linux's security goal is to provide "MAC that covers practical
requirements for most users and keeps usable for most administrators".
TOMOYO Linux is not a tool for security professional but for average users
and administ
/domain_policy.conf?v=policy-sample
2. TOMOYO Linux Security Goal
The TOMOYO Linux's security goal is to provide MAC that covers practical
requirements for most users and keeps usable for most administrators.
TOMOYO Linux is not a tool for security professional but for average users
and administrators.
3
30 matches
Mail list logo
