Re: Defense in depth: LSM *modules*, not a static interface

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Casey Schaufler <casey@schaufler-ca.com>
To: Cliffe <cliffe@ii.net>, Peter Dolding <oiaohm@gmail.com>
Cc: Crispin Cowan <crispin@crispincowan.com>,
	Simon Arlott <simon@fire.lp0.eu>,
	linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: Re: Defense in depth: LSM *modules*, not a static interface
Date: Tue, 6 Nov 2007 19:35:34 -0800 (PST)	[thread overview]
Message-ID: <671729.27434.qm@web36604.mail.mud.yahoo.com> (raw)
In-Reply-To: <4731361D.9030504@ii.net>

--- Cliffe <cliffe@ii.net> wrote:

> As good an idea POSIX capabilities might be,

Now that's a refreshing comment. Thank you.

> not all security problems 
> can be solved with a bitmap of on/off permissions.

There are people (I'm not one of them) who figure that you
can solve all the security problems by applying sufficiently
fine granularity of on/off permissions.

> Peter Dolding wrote:
> <lots o stuff>
> 
> Ok but what happens to the principle of least privilege?
> 
> What if we want AppArmor to confine that application to use a particular 
> set of ports?
> 
> Do you propose having a capability for each port? how about protocols?

While you're at it, how about a capability for each possible
directory entry name?

> So unless my understanding of capabilities is fundamentally flawed 
> (which it may be - I have not spent time reviewing recent changes) 
> obviously Linux capabilities does not provide a solution to every problem.

Of course they don't. The only problem they are intended
to solve, and I really mean this, is the association of uid 0
with privilege. That's it. You would be better off with a single
CAP_GODLIKE than with uid 0 having all privilege all the time.
Fine grained capabilities are a bonus, and there are lots of
people who think that it would be really nifty if there were a
separate capability for each "if" in the kernel. I personally
don't see need for more than about 20. That is a matter of taste.
DG/UX ended up with 330 and I say that's too many.

Casey Schaufler
casey@schaufler-ca.com

next prev parent reply	other threads:[~2007-11-07  3:35 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-10-29 19:04 Linux Security *Module* Framework (Was: LSM conversion to static interface) Rob Meijer
2007-10-29 19:41 ` Crispin Cowan
2007-10-30  5:13   ` Peter Dolding
2007-10-30  7:14     ` Defense in depth: LSM *modules*, not a static interface Cliffe
2007-10-30  6:55       ` Al Viro
2007-10-30  7:55         ` Crispin Cowan
2007-10-30 15:01           ` Casey Schaufler
2007-10-30  8:00         ` Cliffe
2007-10-30 12:30       ` Simon Arlott
2007-11-06  3:46         ` Crispin Cowan
2007-11-06  7:26           ` Cliffe
2007-11-06 23:59             ` Peter Dolding
2007-11-07  3:50               ` Cliffe
2007-11-07  3:35                 ` Casey Schaufler [this message]
2007-11-07  4:11                   ` Tetsuo Handa
2007-11-07  4:34                     ` Peter Dolding
2007-11-07  4:34                     ` Casey Schaufler
2007-10-30 18:42     ` Linux Security *Module* Framework (Was: LSM conversion to static interface) Jan Engelhardt
2007-10-30 19:14       ` Casey Schaufler
2007-10-30 19:50         ` Jan Engelhardt
2007-10-30 23:38       ` Peter Dolding
2007-10-31  0:16         ` david
2007-10-31  2:21           ` Peter Dolding
2007-10-31  3:43             ` Casey Schaufler
2007-10-31  5:08             ` david
2007-10-31  6:43             ` Crispin Cowan
2007-10-31  9:03               ` Peter Dolding
2007-10-31 10:10               ` Toshiharu Harada
2007-11-01  2:04                 ` Peter Dolding
2007-11-01  2:20                   ` Casey Schaufler
2007-11-01  2:51                     ` Peter Dolding
2007-11-01  7:17                       ` Jan Engelhardt
2007-11-01 11:49                         ` David Newall
2007-11-04  1:28                           ` Peter Dolding
2007-11-05  6:56                       ` Andrew Morgan
2007-11-05 13:29                         ` Serge E. Hallyn
2007-10-29 20:27 ` Casey Schaufler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=671729.27434.qm@web36604.mail.mud.yahoo.com \
    --to=casey@schaufler-ca.com \
    --cc=cliffe@ii.net \
    --cc=crispin@crispincowan.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=oiaohm@gmail.com \
    --cc=simon@fire.lp0.eu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.