Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

[Andi Kleen <ak@suse.de>]

> It does the job going off box, too. 

It does not as far as I can see. The IETF seems to have had very good
reasons to never advance that draft any further.

> The authentication issues are very real, but a separate issue.

First rule of network security: don't trust the network. And you seem
to trust your security to the network which is just double plus bogus.

Without authentication it's completely useless. I don't understand
how you can disregard that as "separate issue". Security is only
secure if you plugged all applicable holes; without that it's useless
and you might as well not bother.

> > It assumes a trusted network which is a very dangerous assumption.  I don't 
> > think that was in the original patch I looked at, I surely would have 
> > objected to it.
> >
> > Perhaps take the network part out? I guess SMACK would be useful
> > locally even without questionable network support.
> 
> That would break sockets. 

You didn't solve sockets security, so they cannot be really broken.

And it's not that network security isn't well understood and well supported
in Linux by various proven subsystems (ipsec, netfilter, ssh, openssl etc.). 

Adding a insecure additional placebo just doesn't seem like a good idea.

> I really doubt that you're suggesting that 
> cryptographic authentication is required on the loopback interface.

For local communication security there are better options like Unix sockets
which can be protected by standard file system protections. And most
networking is not over loopback after all. Only handling loopback is so limited 
that it's bordering to useless.

And again we have plenty of proven networking security solutions anyways.
They all work fine over loopback too. I don't really see what SMACK can add here.

-Andi