1. There is absolutely no need to have SAME type of filesystem
everywhere. And it's even better to use different types, depending on
the needs. Therefore argument "we can't change filesystem, because we
don't need much security on news spool" doesn't make any sense.
2. Binaries are subject to check. Unless they are signed you don't know
if anybody changed them. Even if kernel doesn't let you do that usually,
enemy can boot comp from floppy with different kernel. So, storing
64bits of "security" in binaries makes no sense.
3. Capabilities don't provide everytihng needed for an average secury
system. But maybe for "lame" level, meaning "public insecure" it's
enough. Especially for systems with root being superuser.
4. Sockets, files, dirs, processes, etc don't differ at all for security
reasons. They are all objects that have some rights to system and to
other objects. More generalized level of security in kernel is IMHO the
best way to solve all those problems in one shot.
5. Design for B1-level kernel security is being discussed now. We think
that first release might hit public in several months. It will introduce
incompatibilities with "regular" system, but simple management tools
will be provided.
Vadim
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu