From: Michael Stone <michael@laptop.org>
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
"Andi Kleen" <andi@firstfloor.org>, "David Lang" <david@lang.hm>,
"Oliver Hartkopp" <socketcan@hartkopp.net>,
"Alan Cox" <alan@lxorguk.ukuu.org.uk>,
"Herbert Xu" <herbert@gondor.apana.org.au>,
"Valdis Kletnieks" <Valdis.Kletnieks@vt.edu>,
"Bryan Donlan" <bdonlan@gmail.com>,
"Evgeniy Polyakov" <zbr@ioremap.net>,
"C. Scott Ananian" <cscott@cscott.net>,
"James Morris" <jmorris@namei.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
"Bernie Innocenti" <bernie@codewiz.org>,
"Mark Seaborn" <mrs@mythic-beasts.com>,
"Randy Dunlap" <randy.dunlap@oracle.com>,
"Américo Wang" <xiyou.wangcong@gmail.com>,
"Tetsuo Handa" <penguin-kernel@i-love.sakura.ne.jp>,
"Samir Bellabes" <sam@synack.fr>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Michael Stone" <michael@laptop.org>
Subject: Re: A basic question about the security_* hooks
Date: Thu, 24 Dec 2009 20:11:29 -0500 [thread overview]
Message-ID: <20091225011128.GA5213@heat> (raw)
In-Reply-To: <20091225001422.GB22311@us.ibm.com>
Serge Hallyn writes:
> Michael Stone writes:
>> In particular, what would be worse about a kernel in which each security hook
>> contained nothing but conditionally-compiled function calls to the appropriate
>> "real" implementation functions with early-exit jumps on non-zero return codes?
>
> The problem is that composing any two security policies can quickly have
> subtle, unforeseen, but dangerous effects.
First, thanks very much for your helpful explanations and pragmatic advice.
Second, two thoughts and a question:
1. I think you're probably correct when we're discussing security policies
chosen uniformly at random from the space of all possible such policies.
However, I believe that the cost-benefit ratio favors composition quite
strongly when we're discussing real security policies which where designed
with composition in mind, as is the case with my work.
2. The problem you cite is an inherent property of software assurance which
is indepedent of software assurance of information-security-specific
properties. Thus, while you are correct that composition sometimes makes
it harder to assure a system due to the increased number of "moving
parts" that have to fit together perfectly, it also frequently makes the
assurance problem more tractable by reducing the cost to assure the
individual pieces which are being composed.
3. Have you any specific examples of problems that have been clearly averted
by the current arrangement?
> So with your module, I'd recommend following the route of the capabilities
> LSM. You can provide an optional stand-alone LSM which only hooks your
> functions. Then smack, for instance, can call the functions in your LSM
> from within its own hooks, or it can simply explicitly assign its hooks to
> your functions in smack_ops. Selinux can do the same thing, although I
> suspect they would more likely implement their own functions for your newly
> hooked sites.
Doesn't it seem a bit strange to you to be recommending that everyone else
using the five security hooks I want to use modify their code *in detail* to
support my functionality given that my functionality is explicitly intended not
to require any such work on their part?
This seems frankly silly to me, not to mention expensive and error-prone.
Instead, perhaps we'd be better off with something like a declarative
compile-time whitelist or blacklist for compositions?
Regards,
Michael
next prev parent reply other threads:[~2009-12-25 1:09 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-12-24 2:29 A basic question about the security_* hooks Michael Stone
2009-12-24 4:50 ` Casey Schaufler
2009-12-24 12:53 ` Eric W. Biederman
2009-12-24 21:55 ` Tetsuo Handa
2009-12-25 0:05 ` Serge E. Hallyn
2009-12-31 17:50 ` David P. Quigley
2010-01-04 2:12 ` Paul Moore
2009-12-24 7:36 ` Evgeniy Polyakov
2009-12-24 18:57 ` Samir Bellabes
2009-12-25 0:14 ` Serge E. Hallyn
2009-12-25 1:11 ` Michael Stone [this message]
2009-12-25 5:50 ` Serge E. Hallyn
2009-12-26 19:50 ` Michael Stone
2009-12-27 3:16 ` Serge E. Hallyn
2009-12-27 4:02 ` Tetsuo Handa
2009-12-27 10:56 ` Valdis.Kletnieks
2009-12-27 14:54 ` Serge E. Hallyn
2009-12-27 20:28 ` David Wagner
2009-12-28 2:08 ` Valdis.Kletnieks
2009-12-28 11:51 ` Tetsuo Handa
2009-12-28 14:45 ` Valdis.Kletnieks
2009-12-28 14:51 ` Valdis.Kletnieks
2009-12-29 13:01 ` Label based MAC + Name based MAC (was Re: A basic question about the security_* hooks) Tetsuo Handa
2010-01-02 13:56 ` A basic question about the security_* hooks Pavel Machek
2009-12-28 15:24 ` Kyle Moffett
2009-12-29 1:43 ` Casey Schaufler
2009-12-29 19:02 ` Kyle Moffett
2009-12-30 19:49 ` Casey Schaufler
2009-12-27 0:33 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091225011128.GA5213@heat \
--to=michael@laptop.org \
--cc=Valdis.Kletnieks@vt.edu \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=andi@firstfloor.org \
--cc=bdonlan@gmail.com \
--cc=bernie@codewiz.org \
--cc=casey@schaufler-ca.com \
--cc=cscott@cscott.net \
--cc=david@lang.hm \
--cc=ebiederm@xmission.com \
--cc=herbert@gondor.apana.org.au \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mrs@mythic-beasts.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=randy.dunlap@oracle.com \
--cc=sam@synack.fr \
--cc=serue@us.ibm.com \
--cc=socketcan@hartkopp.net \
--cc=xiyou.wangcong@gmail.com \
--cc=zbr@ioremap.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox