MokSec - The Security Framework

[Tilman Baumann]

Kalle Happonen wrote:

> However, later on an easily configurable firewall would be almost 
> essential imho. Connecting to the phone (any port) over the wifi should 
> (almost?)never be allowed as default. Even if the point with the phone 
> is that users can do what they want, it doesn't mean that the apps they 
> install shouldn't be protected. And a firewall is almost the only viable 
> way. There's no easy way of making all the apps listen to just one 
> interface, and while host.allow/deny is more lightweight than a 
> firewall, those don't allow distinguishing of interface.

SELinux comes to mind. Or at least the capabilites framework.
This way i could choose to allow a app to open sockets. (Little bit like 
java sandboxes)
As far as i know we could even have a popup asking for permission.

And to give my 2 Eurocents to the everything as root discusion.
Running user apps as root must end, better soon.
If apps need things only root can do (not much comes to my mind) we 
could use sudo wrapper or SELinux rules.

-- 
Drucken Sie diese Mail bitte nur auf Recyclingpapier aus.
Please print this mail only on recycled paper.