Re: The disappearing sys_call_table export.

Alan Cox (alan@lxorguk.ukuu.org.uk)
12 May 2003 22:19:51 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Frank Cusack: "Re: MPPE in kernel?"
Previous message: Andrew Morton: "Re: eth0: vortex_error(), status=0xe081"
In reply to: Valdis.Kletnieks@vt.edu: "Re: The disappearing sys_call_table export."
Next in thread: Valdis.Kletnieks@vt.edu: "Re: The disappearing sys_call_table export."
Reply: Valdis.Kletnieks@vt.edu: "Re: The disappearing sys_call_table export."
Reply: Ahmed Masud: "Re: The disappearing sys_call_table export."

On Llu, 2003-05-12 at 23:12, Valdis.Kletnieks@vt.edu wrote:
> > "That can be done manually" does not get you the check mark in
> > the list of features. Management wants idiot-resistant security.
>
> In particular, the code that handles the zeroing out of resource objects
> before re-use needs to be "inside" the trusted-base perimeter. This has
> been well-understood for years - even my August 83 copy of the Orange Book
> says (for class C2):

1. Base Linux is not C2 certified
2. C2 is obsolete
3. NSA SELinux can do the needed stuff from scanning the code
4. Even then data erasure is not guaranteed because of the drive logic

So you are back to crypting swap in the first place

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Frank Cusack: "Re: MPPE in kernel?"
Previous message: Andrew Morton: "Re: eth0: vortex_error(), status=0xe081"
In reply to: Valdis.Kletnieks@vt.edu: "Re: The disappearing sys_call_table export."
Next in thread: Valdis.Kletnieks@vt.edu: "Re: The disappearing sys_call_table export."
Reply: Valdis.Kletnieks@vt.edu: "Re: The disappearing sys_call_table export."
Reply: Ahmed Masud: "Re: The disappearing sys_call_table export."