From: serue@us.ibm.com
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: serue@us.ibm.com, James Morris <jmorris@redhat.com>,
Tom Lendacky <toml@us.ibm.com>, Greg KH <greg@kroah.com>,
LKML <linux-kernel@vger.kernel.org>,
LSM <linux-security-module@wirex.com>,
Chris Wright <chrisw@osdl.org>,
Reiner Sailer <sailer@watson.ibm.com>,
Emily Rattlif <emilyr@us.ibm.com>,
Kylene Hall <kylene@us.ibm.com>
Subject: Re: [PATCH] 3 of 5 IMA: LSM-based measurement code
Date: Wed, 15 Jun 2005 16:48:54 -0500 [thread overview]
Message-ID: <20050615214854.GA3660@serge.austin.ibm.com> (raw)
In-Reply-To: <1118869090.16874.46.camel@moss-spartans.epoch.ncsc.mil>
Quoting Stephen Smalley (sds@tycho.nsa.gov):
> On Wed, 2005-06-15 at 15:49 -0500, serue@us.ibm.com wrote:
> > A long, long time ago, Crispin defined LSM's purpose as:
> >
> > >> Main goal : we have to design a generic framework to be able to use
> > >> better
> > >> security policies than the current ones (DAC and capabilities).
> > >
> > >Sort of. We have to design a generic interface that exports enough
> > >kernel
> > >functionality to allow security developers to go off and create these
> > >better
> > >security policy modules.
> >
> > Since IMA provides support for a new type of security policy,
> > specifically remote system integrity verification, I don't see
> > where LSM shouldn't necessarily be used.
>
> IMA isn't an access control model. Also, LSM is overkill for its needs
> in many ways (IMA only needs a few LSM hooks)
I don't think only needing a few of the hooks should disqualify it -
same is true of capability. On the other hand the fact that it always
grants permission could be taken to imply LSM is overkill. It seems
to come down to a question of aesthetics.
> and is inadequate in other
> ways (LSM lacks a hook needed by IMA for measuring modules, although one
> might argue that there could be benefit in adding such a hook to LSM
> itself for access control purposes).
True. In fact, since those hooks were originally dropped because there
wasn't a user for them, refusing a user because the hooks aren't there
would be hillarious!
> If you look at the inotify patch, I think that they've moved the dnotify
> hooks into a more generic set of fsnotify hooks that are leveraged by
> both dnotify and inotify to reduce duplication in the core kernel. The
Oh, cool, I actually hadn't noticed that. (Last I checked inotify was
in... november?)
> same approach could be used for hooks that would be co-located by audit
> and LSM or by integrity measurement and LSM. Of course, you don't want
In that case it seems to further obfuscate the code, though. We then
have a common update hook to just call integrity+LSM hooks, which
then call into their own subsystems...
Is there a distinct advantage to be gained by separating the two?
> to blindly place the integrity measurement hooks at the same locations
> if a different placement would be more optimal for your purposes, so
> you'd want to give it some thought.
That's true, of course. Reiner, would any of the integrity measurement
hooks be moved to a better place than the current LSM hooks? Is there a
preferred ordering - ie measurement should always happen before the LSM
modules, or always after? Either of these would of course be clear
reasons to separate IMA into its own subsystem.
thanks,
-serge
next prev parent reply other threads:[~2005-06-15 21:48 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-15 14:40 [PATCH] 3 of 5 IMA: LSM-based measurement code Reiner Sailer
2005-06-15 20:02 ` James Morris
2005-06-15 20:49 ` serue
2005-06-15 20:58 ` Stephen Smalley
2005-06-15 21:48 ` serue [this message]
2005-06-15 20:59 ` Chris Wright
2005-06-15 21:50 ` serue
2005-06-15 21:53 ` Chris Wright
2005-06-15 22:42 ` Serge E. Hallyn
2005-06-15 22:49 ` Chris Wright
2005-06-15 22:00 ` Casey Schaufler
2005-06-15 22:38 ` Serge E. Hallyn
2005-06-15 22:40 ` Chris Wright
2005-06-15 22:52 ` Serge E. Hallyn
2005-06-16 2:01 ` Chris Wright
-- strict thread matches above, loose matches on Subject: below --
2005-06-15 22:44 Reiner Sailer
2005-06-15 22:59 ` Chris Wright
2005-06-15 22:48 Reiner Sailer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050615214854.GA3660@serge.austin.ibm.com \
--to=serue@us.ibm.com \
--cc=chrisw@osdl.org \
--cc=emilyr@us.ibm.com \
--cc=greg@kroah.com \
--cc=jmorris@redhat.com \
--cc=kylene@us.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@wirex.com \
--cc=sailer@watson.ibm.com \
--cc=sds@tycho.nsa.gov \
--cc=toml@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox