mac_suidacl policy has been committed
Samy Al Bahra
samy at kerneled.org
Tue Jun 28 12:54:27 GMT 2005
I wanted to note that the mac_suidacl policy has just been committed
into the P4 MAC repository. This policy takes advantage of the recently
committed setxid() entry points and check_vnode_exec to control access
to credential-changing elements of a system (setxid() calls and
suid/sgid executables) at uid/gid level.
Example:
jee# sysctl security.mac.suidacl.rules="uid:1002:execve"
security.mac.suidacl.rules: -> uid:1002:execve
jee# su samy
samy$ id
uid=1002(samy) gid=1002(samy) groups=1002(samy)
samy$ ping
su: /sbin/ping: Operation not permitted
Please see the committed manual page for more information.
--
Samy Al Bahra <samy at kerneled.org>
Kerneled.org
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list