No subject

that stop permissions from 'explicitly' being delegated would be a waste of
time and resources, and in adition to this may result in undue convidence
in policy that uses these measures, and may give the impression that it
implements a policy that by fundamental imposibilities could never actualy
be fully enforced (at least when you take the authority rather than the
permission view on delegation).

Given this, I do agree with you that the accidental delegation on exec is
a major problem, I however do not agree that it is the delegation itself
that is the source of the problem, or that in blocking 'explicit'
delegation there could be a solution.

In my view it is the lack of explicit designation where the problem lies,
and thus I feel that we should look for a solution in making fd's that are
passed on exec being passed (or being marked as not being passed) by
designation in a more explicit way.

I feel that a solution may lay in adding a system call that allows Fd's
to be designated for passing on exec, and than to 'on exec' mark all
Fd's of the child process that wern't explicitly designated by the parent
process as 'leaked' permissions. I don't know if this solution would be
simple, hard or impossible within the LSM framework, but something along
this line would be where I feel a solution should be looked for.

Further, where there may be some justification for making Fd passing
across exec policy based (although I would feel its a bit overkill for the
problem
it solves), doing the same for Fd's passed over sockets would I feel be a
bit to much.

Do you at least agree that it is a designation rather than a delegation
that is the underlaying problem in the accedentaly passed Fd's?



Rob