From: Crispin Cowan <crispin@crispincowan.com>
To: Greg KH <greg@kroah.com>
Cc: Thomas Fricaccia <thomas_fricacci@yahoo.com>,
linux-kernel@vger.kernel.org, Alan Cox <alan@lxorguk.ukuu.org.uk>,
Linus Torvalds <torvalds@linux-foundation.org>,
LSM ML <linux-security-module@vger.kernel.org>
Subject: Re: LSM conversion to static interface
Date: Mon, 22 Oct 2007 22:14:51 -0700 [thread overview]
Message-ID: <471D834B.1080501@crispincowan.com> (raw)
In-Reply-To: <20071022171326.GA30317@kroah.com>
Greg KH wrote:
> On Mon, Oct 22, 2007 at 10:00:46AM -0700, Thomas Fricaccia wrote:
>
>> Security is big business, as is compliance with regulatory law. Large
>> enterprise customers are NOT going to either void their system support
>> contracts, or place themselves in jeopardy of failing a SOX audit.
>>
> I agree, that is why customers do not load other random security modules
> in their kernel today,
That "random" module could be a module supplied by a vendor other than
the distro supplier, such as a security vendor. It could be a research
prototype that the user wants to try out on their enterprise-supported
kernel. It could even be an in-house developed module that a local site
wants to run on his larger organization's blessed kernel.
So far from "random", these modules are motivated by circumstances
radically different than yours. In particular, rebuilding a kernel for
you (GregKH, many LKML developers) is a casual thing to be done before
breakfast, but is a scary obstacle to many others. It is an obstacle to
people who are skilled at computers but deliberately *not* kernel
developers (the whole world does not need to be a Linux kernel
developer) and it is an obstacle to large enterprise admins who have
organizational pressure to use specific, pre-built kernels.
> and why they will not do so tomorrow. So,
> because of that, this whole point about compliance with regulatory law
> seems kind of moot :)
>
I think the specific stuff about regulatory compliance is tangential.
SarBox and friends don't specify Linux kernel versions, they are
incredibly vague and subject to interpretation. But they are part of
what drive organizations to have self-imposed rules about only running
blessed kernel versions.
Suffice it to say that there are a variety of reasons why someone either
cannot re-compile a kernel, or just does not want to recompile a kernel.
This change to LSM removes their choice to use modules others than those
provided by their distro vendor.
> Again, LSM isn't going away at all, this is just one config option for
> allowing LSM to work as a module that is changing. If a customer
> demands that this feature come back, I'm sure that the big distros will
> be the first to push for it. But currently, given that there are no
> known external LSMs being used by customers demanding support, I don't
> see what the big issue here really is.
>
As I said, it is a medium issue, not a big one, which is why I didn't
speak out before.
I am opposed to this change because I see zero benefit to it, and a lot
of down-side in loss of user choice.
Because that is what this does: it does not help the kernel get better.
It *definitely* does not help the kernel become more secure. It mostly
just removes user's choice, by making it difficult to do things that
some people don't approve of.
As I've said, it doesn't hurt AppArmor, because 3 major distros ship it.
But it will hurt user choice and innovation, by making anything not
shipped by a distro more difficult to access.
There is some performance gains to be had by doing something to the LSM
interface. Certainly a configuration option that statically inlines all
the hooks and points them at a compiled in module would yield some
performance gain, but I don't know how much. But that raises 2 questions:
1. Was *performance* really the reason this patch was proposed? Or
was it because James really did want the restrictive effect of
preventing people from choosing after-market modules and
dynamically unloading them if they want? I believe that James was
well-intentioned in trying to block these actions because he
believes them to be insecure, and he's right, they are insecure.
However, these actions are also very practically useful in many
circumstances. I disagree with the change because an individual
LSM can block both such actions if you wish, so imposing it on all
LSM modules is restricting choice unnecessarily.
2. Is the performance issue that this might address really big enough
to bother fixing at all? Maybe, but I don't know. Again, I'm
strictly opposed to the loss of flexibility until the performance
issue is documented, and then I would rather see it be a
configuration option you can choose to inline your module of
choice, rather than the default behavior.
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Itanium. Vista. GPLv3. Complexity at work
next prev parent reply other threads:[~2007-10-23 5:15 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-22 17:00 LSM conversion to static interface Thomas Fricaccia
2007-10-22 17:12 ` Alan Cox
2007-10-22 17:13 ` Greg KH
2007-10-23 5:14 ` Crispin Cowan [this message]
2007-10-23 5:32 ` david
2007-10-23 11:38 ` Simon Arlott
2007-10-23 5:53 ` Giacomo Catenazzi
2007-10-23 7:12 ` Crispin Cowan
2007-10-23 8:17 ` Giacomo A. Catenazzi
2007-10-24 3:41 ` Greg KH
-- strict thread matches above, loose matches on Subject: below --
2007-10-25 11:33 Jan Engelhardt
2007-10-26 10:40 ` Samir Bellabes
2007-10-22 2:24 Thomas Fricaccia
2007-10-22 3:59 ` Greg KH
2007-10-22 17:47 ` Avi Kivity
2007-10-23 16:05 ` Adrian Bunk
2007-10-23 16:52 ` Geert Uytterhoeven
2007-10-22 10:07 ` Alan Cox
2007-10-22 16:10 ` Crispin Cowan
2007-10-22 16:50 ` Alan Cox
2007-10-22 16:56 ` Greg KH
[not found] <167451.96128.qm@web38607.mail.mud.yahoo.com>
2007-10-18 2:18 ` Linus Torvalds
2007-10-19 20:26 ` Andreas Gruenbacher
2007-10-19 20:40 ` Linus Torvalds
2007-10-20 11:05 ` Jan Engelhardt
2007-10-20 22:57 ` James Morris
2007-10-21 22:59 ` Adrian Bunk
2007-10-23 9:13 ` Jan Engelhardt
2007-10-23 5:44 ` Giacomo Catenazzi
2007-10-23 8:55 ` Jan Engelhardt
2007-10-23 9:14 ` Giacomo A. Catenazzi
2007-10-23 9:18 ` Jan Engelhardt
2007-10-23 15:20 ` Serge E. Hallyn
2007-10-23 15:28 ` Jan Engelhardt
2007-10-23 15:34 ` Serge E. Hallyn
2007-10-25 10:23 ` Valdis.Kletnieks
2007-10-19 21:07 ` James Morris
2007-10-18 1:34 Thomas Fricaccia
2007-10-18 2:03 ` Casey Schaufler
2007-10-18 2:21 ` Linus Torvalds
2007-10-18 3:06 ` Arjan van de Ven
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=471D834B.1080501@crispincowan.com \
--to=crispin@crispincowan.com \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=greg@kroah.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=thomas_fricacci@yahoo.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox