From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Randy Dunlap <randy.dunlap@oracle.com>
Cc: linux-security-module@vger.kernel.org, safford@watson.ibm.com,
serue@linux.vnet.ibm.com, kjhall@linux.vnet.ibm.com,
zohar@us.ibm.com, linux-kernel@vger.kernel.org
Subject: Re: [RFC] [Patch 1/1] IBAC Patch
Date: Fri, 09 Mar 2007 08:19:36 -0500 [thread overview]
Message-ID: <1173446376.24710.0.camel@localhost.localdomain> (raw)
In-Reply-To: <20070308150839.7c191323.randy.dunlap@oracle.com>
On Thu, 2007-03-08 at 15:08 -0800, Randy Dunlap wrote:
> On Thu, 08 Mar 2007 17:58:16 -0500 Mimi Zohar wrote:
>
> > This is a request for comments for a new Integrity Based Access
> > Control(IBAC) LSM module which bases access control decisions
> > on the new integrity framework services.
> >
> > (Hopefully this will help clarify the interaction between an LSM
> > module and LIM module.)
> >
> > Index: linux-2.6.21-rc3-mm2/security/ibac/Kconfig
> > ===================================================================
> > --- /dev/null
> > +++ linux-2.6.21-rc3-mm2/security/ibac/Kconfig
> > @@ -0,0 +1,36 @@
> > +config SECURITY_IBAC
> > + boolean "IBAC support"
> > + depends on SECURITY && SECURITY_NETWORK && INTEGRITY
> > + help
> > + Integrity Based Access Control(IBAC) implements integrity
> > + based access control.
>
> Please make the help text do more than repeat the words I B A C...
> Put a short explanation or say something like:
> See Documentation/security/foobar.txt for more information.
> (and add that file)
Agreed. Perhaps something like:
Integrity Based Access Control(IBAC) uses the Linux Integrity
Module(LIM) API calls to verify an executable's metadata and
data's integrity. Based on the results, execution permission
is permitted/denied. Integrity providers may implement the
LIM hooks differently. For more information on integrity
verification refer to the specific integrity provider
documentation.
> > +config SECURITY_IBAC_BOOTPARAM
> > + bool "IBAC boot parameter"
> > + depends on SECURITY_IBAC
> > + default y
> > + help
> > + This option adds a kernel parameter 'ibac', which allows IBAC
> > + to be disabled at boot. If this option is selected, IBAC
> > + functionality can be disabled with ibac=0 on the kernel
> > + command line. The purpose of this option is to allow a
> > + single kernel image to be distributed with IBAC built in,
> > + but not necessarily enabled.
> > +
> > + If you are unsure how to answer this question, answer N.
>
> What's the downside to having this always builtin instead of
> yet another config option?
The ability of changing LSM modules at runtime might be perceived
as problematic.
> > +static struct security_operations ibac_security_ops = {
> > + .bprm_check_security = ibac_bprm_check_security
> > +};
> > +
> > +static int __init init_ibac(void)
> > +{
> > + int rc;
> > +
> > + if (!ibac_enabled)
> > + return 0;
> > +
> > + rc = register_security(&ibac_security_ops);
> > + if (rc != 0)
> > + panic("IBAC: Unable to register with kernel\n");
>
> Normally we would not want to see a panic() from a register_xyz()
> failure, but I guess you are arguing that an ibac register_security()
> failure needs to halt everything??
Yes, as this implies that another LSM module registered the hooks first,
preventing IBAC from registering itself.
Thank you for your other comments. They'll be addressed in the next
ibac patch release.
Mimi Zohar
next prev parent reply other threads:[~2007-03-09 13:07 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-08 22:58 [RFC] [Patch 1/1] IBAC Patch Mimi Zohar
2007-03-08 23:08 ` Randy Dunlap
2007-03-09 13:19 ` Mimi Zohar [this message]
2007-03-09 18:26 ` Randy Dunlap
2007-03-09 3:19 ` Valdis.Kletnieks
2007-03-09 15:07 ` Serge E. Hallyn
2007-03-12 21:47 ` Mimi Zohar
2007-03-13 15:31 ` Serge E. Hallyn
2007-03-14 9:46 ` Mimi Zohar
2007-03-14 2:27 ` Seth Arnold
2007-03-14 11:25 ` Mimi Zohar
2007-03-14 18:48 ` Seth Arnold
-- strict thread matches above, loose matches on Subject: below --
2007-03-14 9:49 Mimi Zohar
2007-06-18 20:48 [RFC][Patch " Mimi Zohar
2007-06-19 22:23 ` Serge E. Hallyn
2007-06-20 11:52 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1173446376.24710.0.camel@localhost.localdomain \
--to=zohar@linux.vnet.ibm.com \
--cc=kjhall@linux.vnet.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=randy.dunlap@oracle.com \
--cc=safford@watson.ibm.com \
--cc=serue@linux.vnet.ibm.com \
--cc=zohar@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox