Re: Executing an application
Re: Executing an application
- Subject: Re: Executing an application
- From: "mm w" <email@hidden>
- Date: Mon, 13 Oct 2008 11:07:58 -0700
Hi Terry,
On Mon, Oct 13, 2008 at 10:47 AM, Terry Lambert <email@hidden> wrote:
> There are a couple of easy answers on this, but you are not going to like
> them:
>
> (1) Fix the problem and build your own kernel. Submit the patches back to
> Apple to increase the probability that things will be fixed the way you want
> them fixed.
fair enough
>
> (2) Common Criteria Auditing is narrowly defined by use model; as long as
> you don't use it outside the model, it remains valid. For system components
> shipped by a vendor, existing behaviour is technically allowed. Outside
> that, well, choose to use code paths involving execve() rather than
> posix_spawn().
yep I'm right with this, but it doesn't solve the Finder part, and
it's not my point
>
> Do not expect a "hot fix" for already released code, and do not any fix
> whatsoever unless you file a bug report through the proper channels, rather
> than posting on a mailing list.
>
I don't expect a Hot fix, it's somehow always a bad thing, my point
was Leo should go thru
a couple of revisions before snow-leo release, and it's not a "Big
move", saying you have to wait
for the next release of the OS was a kind of an "abusive answer", my
point is I never argue about
the Apple priorities and I 'm aware there are a "couple other stuff"
to do, but this is a part of "seatbelt" improvement politic
Cheers!
> -- Terry
>
> On Oct 13, 2008, at 10:04 AM, mm w <email@hidden> wrote:
>>
>> Hi Jacques, but it's so far in the future, the needs are now
>> not in next release of the system, imagine if you say the same thing
>> on another list about a wonderful open-system, you have to wait the
>> next release
>> of the whole operating system to correct this, it's non-sense
>>
>> Cheers!
>>
>> On Mon, Oct 13, 2008 at 9:44 AM, Jacques Vidrine <email@hidden> wrote:
>>>
>>> On Oct 11, 2008, at 9:23 PM, Todd Heberlein wrote:
>>>
>>>>> Double-clicking an app will cause lauchd to fork and start the process.
>>>>> One Leopard posix_spawn is used to start the new process. E.g.
>>>>
>>>> Looking at the launchd source code, it looks like it sets the
>>>> appropriate
>>>> audit mask *before* calling posix_spawn().
>>>>
>>>> So is it possible that posix_spawn() doesn't create an audit record?
>>>> This
>>>> seems challenging... there may be no way to identify in the audit trail
>>>> the
>>>> name of a program started with launchd (?). This will make security
>>>> auditing
>>>> difficult.
>>>
>>> It is likely that there are some launchd code paths which do not result
>>> in
>>> setting the audit mask before invoking posix_spawn(). There is
>>> significant
>>> remediation and enhancement work happening in this area for Snow Leopard.
>>>
>>>
>>>
>
--
-mmw
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden