On Mon, Feb 13, 2012 at 8:57 PM, Marco d'Itri wrote: > On Feb 13, Ian Jackson wrote: > >> The rule would be that if: >> * A file is being opened in a sticky directory >> * The file is going to be created by this operation >> * O_EXCL was not specified >> then the syscall fails with EPERM. > This should be easy to implement as a LSM.
Kees Cook implemented protections against symlink attacks in Yama (an LSM): https://lwn.net/Articles/393012/ Of course LSMs don't yet stack so it cannot be combined with SELinux etc. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAKTje6EpvGTpX2mDV-9O9yvQuYg1asMHN=bz8trwevvnqz-...@mail.gmail.com
