Re: Executing an application
Re: Executing an application
- Subject: Re: Executing an application
- From: Terry Lambert <email@hidden>
- Date: Mon, 13 Oct 2008 11:33:38 -0700
Actually, seatbelt uses MACF, the Mandatory Access Controls Framework,
not auditing.
And yes, there is an execve() variant that permits setting of a MAC
label on exec, but not one for posix_spawn().
We don't really hace a statement other than that, since we can't
really comment on future product directions as part of our employment
contracts,
My advice to you would be to file a bug report.
-- Terry
On Oct 13, 2008, at 11:07 AM, mm w <email@hidden> wrote:
Hi Terry,
On Mon, Oct 13, 2008 at 10:47 AM, Terry Lambert <email@hidden>
wrote:
There are a couple of easy answers on this, but you are not going
to like
them:
(1) Fix the problem and build your own kernel. Submit the patches
back to
Apple to increase the probability that things will be fixed the way
you want
them fixed.
fair enough
(2) Common Criteria Auditing is narrowly defined by use model; as
long as
you don't use it outside the model, it remains valid. For system
components
shipped by a vendor, existing behaviour is technically allowed.
Outside
that, well, choose to use code paths involving execve() rather than
posix_spawn().
yep I'm right with this, but it doesn't solve the Finder part, and
it's not my point
Do not expect a "hot fix" for already released code, and do not any
fix
whatsoever unless you file a bug report through the proper
channels, rather
than posting on a mailing list.
I don't expect a Hot fix, it's somehow always a bad thing, my point
was Leo should go thru
a couple of revisions before snow-leo release, and it's not a "Big
move", saying you have to wait
for the next release of the OS was a kind of an "abusive answer", my
point is I never argue about
the Apple priorities and I 'm aware there are a "couple other stuff"
to do, but this is a part of "seatbelt" improvement politic
Cheers!
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden