On Mar 9, 2010, at 2:55 PM, Thor Lancelot Simon wrote:
> On Tue, Mar 09, 2010 at 08:45:09PM +0100, Joerg Sonnenberger wrote:
>> On Tue, Mar 09, 2010 at 02:23:13PM -0500, Thor Lancelot Simon wrote:
>>> I want to be able to tell the kernel to mount a device reliably identified
>>> by some kind of unique, symbolic name. I want to be able to load a list
>>> of permissible such names into the kernel while it's running insecure, and
>>> restrict mounting to those and only those when it's running secure.
>>
>> I don't get it. What kind of devices are you talking about? If the
>> environment is static, you can still use the same identifier as before.
>
> When you say "the same identifier as before" what exactly do you mean?
>
>> If it is not, why do you believe that the device you are dealing with is
>> the one you hoped it is?
>
> That's a matter for the kernel to decide -- not one for some userspace
> program which could be tampered with by any process running with euid 0.
>
> At least, that is how I would strongly prefer it to be.
But what's to stop someone from mounting a new file system over /bin? Or are
you talking about secure_level 2?
--Steve Bellovin, http://www.cs.columbia.edu/~smb
