deny send file to all but spesific ip or email

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

deny send file to all but spesific ip or email

Postby walid » Wed Aug 01, 2007 4:10 am

Can I make restriction on some files so that they can be read , write but cant be printed by some users and cant be copied to any other machine on network except the specified, and cant be emailed except to specified addresses?
walid
 
Posts: 1
Joined: Wed Aug 01, 2007 3:57 am

Postby spender » Wed Aug 01, 2007 8:03 pm

This sort of thing is impossible for any system, no matter how complex (including SELinux). Once a file is read into memory, there's no real control you can have over what gets done with it. Watching network traffic for the file isn't good enough because you can have covert channels/encryption, etc.
Protection within an application itself can be defeated if an attacker gains control of the process.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby msi » Tue Aug 14, 2007 6:26 am

you can use a ip/tcp filter to only let out smtp traffic out. And only smtp traffic with your allowed destinations.
but these restrctionts apply to your whole host and not only to specific files.
msi
 
Posts: 29
Joined: Fri Sep 13, 2002 2:37 pm

Postby specs » Fri Aug 17, 2007 2:08 am

You want some kind of DRM to protect your content.

You'll have to encrypt your content and use some central control system to grant access, deny access or revoke access. Most options mostly "outsource" the control over the content. Please check if you don't simply throw away security.

DRM is however incompatible with open source. Once unencrypted it can be copied and used anywhere. Open Source programms can be altered to create a copy to disk (or any other place).

You might want to search for TCPA, trusted computing and similar sources to view better explanations of the risks involved. You'll run into the same problems.
http://www.againsttcpa.com/
specs
 
Posts: 190
Joined: Sun Mar 26, 2006 7:00 am


Return to grsecurity support