From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 5671F138359 for ; Tue, 28 Jul 2020 20:08:27 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 83610E0CAD; Tue, 28 Jul 2020 20:08:26 +0000 (UTC) Received: from mail-il1-f179.google.com (mail-il1-f179.google.com [209.85.166.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 42996E0CAD for ; Tue, 28 Jul 2020 20:08:26 +0000 (UTC) Received: by mail-il1-f179.google.com with SMTP id i138so11418150ild.9 for ; Tue, 28 Jul 2020 13:08:26 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=cgoZexN5S1QJfqI4H/kmXr6b0Q67LZSXRZDyZdJ+yRg=; b=XnCOqlxTjhHMB2jZl5vmfWUKRqCUQSNs5PTXwV0LiWFTwvZwOnKrln8SzLOeTCVprs mQkBt/X+Uh07JCVWyJHeNbeRSgeHjbBe/Zl+olGZPJKUzj3hjlxawbmN6eTrSaeQf+NL dUnlBVU5t+QgbmwOSxMuHoguxkXWLI4U5Aa9rsGwh/qB4fH94mYuMP9QRc/1rqdZUxqo H+yYpn7ZZ4dhQ6eLu/cIf0G4R8a6bceGonR35r5a1cQhHkV3zWxKrjoZy1FDERqsHlAC LrD168O8JsokIOBqt/iB2diwP5gnHxUniwkwRMRjnnj+PvrSKc8gqKkYPV0ahu2h9CQZ 9iQA== X-Gm-Message-State: AOAM531Svm1ItLbn8Xl9ol+16lh7lhMehSzunSaoVlcDfF4n8BF62YuI /hYTwrNAo02IZOp9MtcP/Mh0ceLZH2Syqdc5iSMsBlV4 X-Google-Smtp-Source: ABdhPJwQ0UqO+WW3oyVCSJ6rBg6p+GxOpY5tdlcF05rNcK80eGdhqpKwLPHGrd9umCZEIzbdh4w0xQIDNutEYIEoRxM= X-Received: by 2002:a92:150d:: with SMTP id v13mr14513686ilk.93.1595966905273; Tue, 28 Jul 2020 13:08:25 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-soc@lists.gentoo.org Reply-to: gentoo-soc@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 References: <74bfe2205faccaf9bf07e0e4be0d8d73@mail.swcp.com> In-Reply-To: <74bfe2205faccaf9bf07e0e4be0d8d73@mail.swcp.com> From: Kaoru Esashika Date: Wed, 29 Jul 2020 05:08:13 +0900 Message-ID: Subject: Re: [gentoo-soc] Weekly Report: Fusebox - FUSE Porwered sandbox project To: gentoo-soc@lists.gentoo.org Content-Type: text/plain; charset="UTF-8" X-Archives-Salt: 0a0817ff-b9b2-4c7d-b64c-c098e8956658 X-Archives-Hash: 54e0e5de116cdcff6fae8ce74ae16480 Hi, Thank you for your advice and for reviewing my code, EBo. I agree with your advice, the whitelist method is good practice. In my current code, the default security model is the whitelist method. However, in the test code, I change it to the blacklist method for convenience. So I guess you might misunderstand. Because the behavior of ACL should be maintained to Gentoo's sandbox, this behavior might be changed for the future. Anyway, thank you for your advice. I'll keep your advice in mind. On Mon, Jul 27, 2020 at 1:48 PM EBo wrote: > > Recently I was watching some videos that was looking at vulnerabilities > in IP camera systems and many of the fails that the security person was > able to exploit were forgetting to lock down access to some directory or > file so that he was able to first examine a program or script, and then > determine points of access. With the discussion here I was wondering if > there was any mechanism to turn all access off, and then 'grant' access > to something. This may be similar to how Gentoo's USE flags can be > likewise cleaned by: "USE = "-* X alsa..." > > Anyway, I browsed your tests and did not find anything and thought I > might mention it. > > EBo -- > > On Jul 26 2020 5:00 PM, Kaoru Esashika wrote: > > Hi, > > This week, I wrote the code about ACL (Access Control List). > > The ACL allows you to actually control whether or not the application > > can access your files. > > This implementation also includes an interface that allows you to > > control access to the files dynamically. > > Specifically, you can control access to specific files by writing a > > list of files to be controlled in a special virtual file called a > > control file. > > > > Next week, I will integrate the Fusebox with emerge/portage. And > > also, > > I need prepare to evaluation... > > > > Project Repository: https://github.com/pluser/fusebox > > > > Regards, > > Kaoru Esashika > >