From: Crispin Cowan <crispin@wirex.com>
To: LA Walsh <law@tlinx.org>
Cc: "'Christoph Hellwig'" <hch@infradead.org>,
torvalds@transmeta.com, linux-security-module@wirex.com,
linux-kernel@vger.kernel.org
Subject: Re: [BK PATCH] LSM changes for 2.5.59
Date: Sun, 09 Feb 2003 19:40:17 -0800 [thread overview]
Message-ID: <3E471F21.4010803@wirex.com> (raw)
In-Reply-To: 001001c2d0b0$cf49b190$1403a8c0@sc.tlinx.org
[-- Attachment #1: Type: text/plain, Size: 2245 bytes --]
LA Walsh wrote:
>>From: Crispin Cowan
>>
>>LSM does have a careful design.... meeting a
>>goal stated by Linus nearly two years ago.
>>
>>
> A security model that mediates access to security objects by
>logging all access and blocking access if logging cannot continue is
>unsupportable in any straight forward, efficient and/or non-kludgy, ugly
>way.
>
Because Linus asked for access control support, not audit logging
support, it is not surprising that logging models don't fit so well.
> Some security people were banned from the kernel
>devel. summit because their thoughts were deemed 'dangerous': fear was they
>were too persuasive about ideas that were deemed 'ignorant' and would
>fool those poor kernel lambs at the summit.
>
Internal SGI politics.
> Also unsupported: The "no-security" model -- where all security
>is thrown out (to save memory space and cycles) that was desired for embedded work.
>
False: capabilities is now a removable module, which is what Linus asked
for.
> LSM also doesn't support standard LSPP-B1 style graded security
>where mandatory access checks are logged as security violations before
>DAC checks are even looked at for an object.
>
Because doing so would have required approx. 6-10X as many LSM hooks as
the current LSM. Speak up if you think LSM should be 10X bigger to be
able to support Common Criteria standards compliant audit logging ...
> At one point a plan was proposed (by Casey Schaufler, SGI) and
>_\implemented\_ (team members & prjct lead Linda Walsh) to move all
>security checks out of the kernel into a 'default policy' module.
>The code to implement this was submitted to the LSM list in June 1991.
>
And I actually like that plan. But I still believe it to be too radical
for 2.6. It has many nice properties, but is much more invasive to the
kernel. I think it is a very interesting idea for 2.7, and should be
floated past the maintainers who will be impacted to see if it has a
hope in hell.
Crispin
--
Crispin Cowan, Ph.D.
Chief Scientist, WireX http://wirex.com/~crispin/
Security Hardened Linux Distribution: http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
Just say ".Nyet"
[-- Attachment #2: Type: application/pgp-signature, Size: 252 bytes --]
next prev parent reply other threads:[~2003-02-10 3:30 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-02-06 15:02 [BK PATCH] LSM changes for 2.5.59 Stephen D. Smalley
2003-02-06 15:18 ` Christoph Hellwig
2003-02-06 17:16 ` David Wagner
2003-02-06 17:45 ` Christoph Hellwig
2003-02-06 17:51 ` Alan Cox
2003-02-08 2:20 ` jmjones
2003-02-08 4:13 ` Miles Bader
2003-02-09 20:06 ` Christoph Hellwig
2003-02-10 1:39 ` Crispin Cowan
2003-02-10 3:02 ` LA Walsh
2003-02-10 3:40 ` Crispin Cowan [this message]
2003-02-10 7:34 ` LA Walsh
2003-02-10 8:11 ` Chris Wright
2003-02-10 8:21 ` 'Christoph Hellwig'
2003-02-10 8:33 ` Crispin Cowan
2003-02-10 8:39 ` 'Christoph Hellwig'
2003-02-10 13:31 ` Alan Cox
2003-02-10 17:29 ` Casey Schaufler
2003-02-12 8:12 ` side issues of baloney with that ham...(was LSM changes for 2.5.59) LA Walsh
2003-02-10 20:51 ` [BK PATCH] LSM changes for 2.5.59 LA Walsh
2003-02-10 21:36 ` David Wagner
2003-02-10 22:14 ` Bill Davidsen
2003-02-11 1:35 ` Dave Jones
2003-02-11 13:59 ` the modules problems Roman Zippel
2003-02-11 19:44 ` [BK PATCH] LSM changes for 2.5.59 Bill Davidsen
2003-02-10 4:06 ` J Sloan
2003-02-10 5:59 ` David Wagner
2003-02-10 7:31 ` Christoph Hellwig
-- strict thread matches above, loose matches on Subject: below --
2003-02-13 4:08 Mika Kukkonen
2003-02-12 16:58 Makan Pourzandi (LMC)
2003-02-12 18:45 ` 'Christoph Hellwig'
2003-02-12 19:11 ` magniett
2003-02-12 18:38 ` 'Christoph Hellwig'
2003-02-12 22:22 ` Crispin Cowan
2003-02-12 15:37 Pete Loscocco
[not found] <b28k4f$hp4$1@abraham.cs.berkeley.edu>
2003-02-12 8:27 ` LA Walsh
2003-02-10 19:57 Stephen D. Smalley
2003-02-10 22:38 ` LA Walsh
2003-02-10 16:55 Stephen D. Smalley
2003-02-11 8:05 ` Christoph Hellwig
2003-02-13 11:08 ` Chris Wright
2003-02-05 16:59 Stephen D. Smalley
2003-02-05 16:47 Stephen D. Smalley
2003-02-05 16:49 ` Christoph Hellwig
2003-02-05 22:07 ` Greg KH
2003-02-05 22:30 ` Christoph Hellwig
2003-02-05 22:39 ` Russell Coker
2003-02-05 22:41 ` Christoph Hellwig
2003-02-05 15:00 Stephen D. Smalley
2003-02-05 15:34 ` Christoph Hellwig
2003-02-05 16:26 ` Mark Hahn
2003-02-05 13:45 Stephen D. Smalley
2003-02-05 14:13 ` Christoph Hellwig
2003-02-05 4:15 Greg KH
2003-02-05 8:47 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3E471F21.4010803@wirex.com \
--to=crispin@wirex.com \
--cc=hch@infradead.org \
--cc=law@tlinx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@wirex.com \
--cc=torvalds@transmeta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox