From: james.l.morris@oracle.com (James Morris)
To: linux-security-module@vger.kernel.org
Subject: [RFC v2 2/3] LSM: Add statistics about the invocation of dynamic hooks
Date: Mon, 11 Dec 2017 09:21:28 +1100 (AEDT) [thread overview]
Message-ID: <alpine.LFD.2.20.1712110911170.19397@localhost> (raw)
In-Reply-To: <0d030add49ec1dfd2971e955ab7856cc536e37b1.1512704909.git.sargun@netflix.com>
On Fri, 8 Dec 2017, Sargun Dhillon wrote:
> The purpose of this is similar to the purpose of something like
> iptables -L -n. With the proliferation of LSMs, it's going to
> be more important to have a way to understand what's going on.
The difference with iptables being that it's an application on top of the
netfilter hooks, with strongly defined behavioral semantics for matches
and targets, while their configuration is the security policy.
LSM is more like the raw netfilter layer, and I don't think you can make a
lot of sense from a list of just which hooks are active. You need
semantic knowledge of how those hooks are configured, i.e. security
policy.
I suggest dropping this part for now at least, and perhaps think about
building an API on top of this feature with strongly defined semantics
(e.g. something like iptables on top of netfilter).
- James
--
James Morris
<james.l.morris@oracle.com>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-12-10 22:21 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <cover.1512704909.git.sargun@netflix.com>
2017-12-08 4:24 ` [RFC v2 1/3] security: Add safe, dynamic (runtime-loadable) hook support Sargun Dhillon
2017-12-08 16:27 ` Casey Schaufler
2017-12-10 22:10 ` James Morris
2017-12-11 10:22 ` Tetsuo Handa
2017-12-10 22:28 ` James Morris
2017-12-13 12:38 ` Sargun Dhillon
2017-12-08 4:24 ` [RFC v2 2/3] LSM: Add statistics about the invocation of dynamic hooks Sargun Dhillon
2017-12-08 16:31 ` Casey Schaufler
2017-12-10 22:21 ` James Morris [this message]
2017-12-08 4:24 ` [RFC v2 3/3] LSM: Add an example sample dynamic LSM Sargun Dhillon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LFD.2.20.1712110911170.19397@localhost \
--to=james.l.morris@oracle.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).