Daniel Carosone wrote:

> If you consider the systrace policy to be a set of capabilities (ie,
> permitted syscalls), and the veriexec fingerprint of that to be the
> 'authorisation certificate' for that policy (ie, root declaring this
> policy is valid and allowed to make '.. permit as root' statements), I
> think you're a long way towards the goal.

It will probably be implemented as per-process bitmaps of capabilities.

> Agreed, but if that's the way to gain the capability you need...
[...]
> No, and that's an important aspect to round out the system, to ensure
> that (properly certified) systrace policies are the only way to gain
> the relevant capabilities.  Consider a securelevel (or similar) above
> which no syscalls happen as root without systrace assistance.

I already have implemented this part. :)

> The area I see this model falling most short in at the moment isn't so
> much in the area of capabilities (expressed as above), or in the
> expressive power of those capabilities to describe a program's rights;
> it's in the area of credentials and applying capabilities to users
> like we can to programs.  (Yes, we can test real uid in every
> program's systrace policy, but that's harder to manage than I'd like.)

Could be you're confusing between process capabilities and user
capabilities?

-e.

-- 
Elad Efrat
PGP Key ID: 0x666EB914