PackageKit policy: background and plans

James Morris jmorris at namei.org
Sat Nov 21 02:34:09 UTC 2009


On Fri, 20 Nov 2009, Matthew Garrett wrote:

> Actually, thinking about it, even this isn't sufficient. An attacker 
> could change the ctrl+alt+F* bindings and use them to pop up a 
> full-screen window that looks like the console. So you'd also need to 
> set up securetty to ensure that root can only log in on real consoles. 

Right.  This is why we need trusted path (not just for consoles, but for 
interaction generally between users and the system).

The fundamental requirements for securing our systems were outlined in a 
paper by NSA researchers - "The Inevitability of Failure: The Flawed 
Assumption of Security in Modern Computing Environments"

http://www.nsa.gov/research/_files/publications/inevitability.pdf

I strongly recommend that Fedora developers read this.

Some of the requirements have been addressed since the paper was published 
(mostly in the area of adding Mandatory security via SELinux), although 
the desktop in particular still needs work.  There's been some progress, 
e.g. XACE, which allows us to begin locking down the X itself (a video of 
the LPC session on this is at http://video.linuxfoundation.org/video/1566).

I was hoping to see more desktop and general OS developers at the security 
track of LPC -- it was mostly security folk talking to other security 
folk.  Certainly, I think we should try and find a way to get more 
discussion happening amongst different groups next time.

FWIW, I discussed the "inevitability" requirements as part of a broader 
talk on Linux security at KCA in Brisbane earlier this year; video & 
slides are online:

http://namei.org/presentations/linux-kernel-security-kca09.pdf
http://www.ustream.tv/recorded/1814752


-- 
James Morris
<jmorris at namei.org>




More information about the fedora-devel-list mailing list