[OLPC Security] Thoughts on bitfrost capabilities, enforcement, and ACLs

Marcus Leech mleech at nortel.com
Tue Nov 6 14:46:21 EST 2007


C. Scott Ananian wrote:
> ...especially since there are really only two device (driver)s which
> need to be modified in this way.  We don't need a general-purpose
> revocation mechanism, just a way to revoke these two devices.
>   
Now, there are two devices.  Tomorrow, who knows?  But I'll agree that
for the special-case of
  /dev/{audio,dsp,whatever} and /dev/video0, an ioctl could be added.
> We don't even need the 'per-uid' business -- we can just add one 'turn
> off' ioctl that anyone with an open file handle could call.  We dup2
> the file descriptor before giving it to the activity, and rainbow
> holds its copy of the handle ready to perform the ioctl at the
> appropriate time.
>  --scott
>
>   
That certainly would deal with the "you have the mike, but only for 30
seconds" problem, but it might
  also open up abilities for malware to cut off access to the
mike/video/whatever.

Have you thought about the semantics of "unspringing" the trap created
by this ioctl()?



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 251 bytes
Desc: OpenPGP digital signature
Url : http://lists.laptop.org/pipermail/security/attachments/20071106/36760e75/attachment.pgp 


More information about the Security mailing list