Re: Re:Re: Re:Re: about ss - Stephen Smalley

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stephen Smalley <sds@tycho.nsa.gov>
To: Yao <yffbrave@163.com>
Cc: SELinux@tycho.nsa.gov
Subject: Re: Re:Re: Re:Re: about ss
Date: Wed, 23 Mar 2011 09:24:26 -0400	[thread overview]
Message-ID: <1300886666.26747.15.camel@moss-pluto> (raw)
In-Reply-To: <b41b75.151b.12ee0439347.Coremail.yffbrave@163.com>

On Wed, 2011-03-23 at 09:10 +0800, Yao wrote:
> Maybe I should explain. We think kernel is untrusted, ss is trusted.
> we protect the security server through gerenating a separate address
> space. When we need to use ss, we switch to this space. If untrusted
> kernel code can be executed, what we do became meaningless. That's why
> we want the ss self-contained. And our work should apply to flask
> architecture, that's why we chose selinux.
> Is it possible to fulill my goal without modifying ss excessively?

The kernel has to be trusted - it runs in ring 0.
And the security server is just a policy engine - it just provides
policy decisions to the kernel upon request.  The kernel performs the
policy enforcement of those decisions.

In Fluke/Flask, the security server ran in userspace, but that was a
microkernel-based OS.  And even there, we weren't trying to protect the
security server from the (micro)kernel.

It doesn't make sense to try to protect the security server apart from
the rest of the kernel.

-- 
Stephen Smalley
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2011-03-23 13:24 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-03-18  0:43 about ss Yao
2011-03-18 14:02 ` Stephen Smalley
2011-03-21  3:11   ` Yao
2011-03-21  8:31     ` Kohei Kaigai
2011-03-21 12:29     ` Stephen Smalley
2011-03-23  1:10       ` Yao
2011-03-23 13:24         ` Stephen Smalley [this message]
2011-03-25  6:11           ` Yao
2011-03-25 12:43             ` Stephen Smalley
2011-03-28  0:55               ` Yao
2011-03-28 12:49                 ` Stephen Smalley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1300886666.26747.15.camel@moss-pluto \
    --to=sds@tycho.nsa.gov \
    --cc=SELinux@tycho.nsa.gov \
    --cc=yffbrave@163.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.