From: David Meybohm <dmeybohmlkml@bellsouth.net>
To: Andi Kleen <ak@muc.de>
Cc: Christoph Hellwig <hch@lst.de>, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] disallow modular capabilities
Date: Sun, 2 Jan 2005 19:21:02 -0500 [thread overview]
Message-ID: <20050103002102.GA5987@localhost> (raw)
In-Reply-To: <20050102233039.GB71343@muc.de>
On Mon, Jan 03, 2005 at 12:30:39AM +0100, Andi Kleen wrote:
>
> A kernel module is by definition a security hole. It can do everything,
> including setting the uids of all processes to 0.
Yes, but allowing the administrator to easily unintentionally create
security holes in loading a security module defeats the whole purpose of
having modular security.
> > the new security module that is being loaded has no idea what state all
> > processes are in when the module gets loaded?
>
> This can still be fine if you don't care about the security of
> everything that runs before (e.g. because it is controlled early
> startup code). If you care about their security don't do it when
> it hurts.
But this also means every security module has to handle the case of
being loaded after this time in the boot process interactively by
administrators. That's very complex and race-prone.
> > What do you think about only allowing init to load LSM modules i.e.
> > check in {mod,}register_security that current->pid == 1.
>
> I think it's a bad idea. Such policy should be left to user space.
Well, by excluding some policy you have to put more code in the kernel
in the LSM modules to handle being loaded at any time. So, I don't
think the dogma of "no policy in the kernel" is a good one to follow
here: it ignores the problem and creates new ones.
Dave
next prev parent reply other threads:[~2005-01-03 0:27 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-02 20:00 [PATCH] disallow modular capabilities Christoph Hellwig
2005-01-02 20:01 ` Christoph Hellwig
2005-01-02 20:28 ` Andi Kleen
2005-01-02 20:30 ` Christoph Hellwig
2005-01-02 20:47 ` Andi Kleen
2005-01-02 22:36 ` David Meybohm
2005-01-02 23:30 ` Andi Kleen
2005-01-03 0:21 ` David Meybohm [this message]
2005-01-03 0:32 ` Andi Kleen
2005-01-03 14:38 ` Florian Weimer
2005-01-03 15:52 ` Alan Cox
2005-01-04 20:24 ` Lee Revell
2005-01-04 21:05 ` Linus Torvalds
2005-01-04 21:08 ` Christoph Hellwig
2005-01-04 21:31 ` Chris Wright
2005-01-04 21:09 ` Lee Revell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050103002102.GA5987@localhost \
--to=dmeybohmlkml@bellsouth.net \
--cc=ak@muc.de \
--cc=hch@lst.de \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox