From: Crispin Cowan <crispin@crispincowan.com>
To: rmeijer@xs4all.nl
Cc: casey@schaufler-ca.com, Chris Wright <chrisw@sous-sol.org>,
Adrian Bunk <bunk@kernel.org>, Simon Arlott <simon@fire.lp0.eu>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
Jan Engelhardt <jengelh@computergmbh.de>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andreas Gruenbacher <agruen@suse.de>,
Thomas Fricaccia <thomas_fricacci@yahoo.com>,
Jeremy Fitzhardinge <jeremy@goop.org>,
James Morris <jmorris@namei.org>,
Giacomo Catenazzi <cate@debian.org>,
Alan Cox <alan@lxorguk.ukuu.org.uk>
Subject: Re: Linux Security *Module* Framework (Was: LSM conversion to static interface)
Date: Mon, 29 Oct 2007 03:24:42 -0700 [thread overview]
Message-ID: <4725B4EA.4060303@crispincowan.com> (raw)
In-Reply-To: <15466.80.126.27.205.1193652063.squirrel@webmail.xs4all.nl>
Rob Meijer wrote:
> What may be even more relevant are those concepts that couldn't be done
> in SELinux, and how proposals that come from the theory of alternative
> access controll models (like object capability modeling) are dismissed
> by the aparently largely MLS/MAC oriented people on the list.
Clearly what is needed here is for someone to actually implement an
object capability LSM module. None of SELinux, SMACK, LIDS, AppArmor,
MultiADM, or TOMOYO can implement object capabilities, so there is clear
justification for building such a module. I would argue strongly to
include it.
> Thus IMHO it may be a good idea to instead of a maintainer for LSM
> modules as proposed, alternatively a maintainer for each formal model
> may be more appropriate. This also would require module builders to first
> think about what formal model they are actualy using, thus resulting in
> cleaner module design.
>
I *really* dislike this idea. It seems to set up the situation that the
only acceptable modules are those that follow some "formal" model. Problems:
* What qualifies as a formal model? This becomes an arbitrary litmus
test, depending on whether the model was originally published in a
sufficiently snooty forum.
* What if someone invents a new model that has not been "formalized"
yet? Should Linux be forced to wait until the idea has been
through the academic mill before we allow someone to try
implementing a module for the idea?
* The proposal only allows a single implementation of each formal
model. In theory, theory is just like practice, but in practice it
is not. SMACK and SELinux follow substantially similar formal
models (not exactly the same) so should we exclude one and keep
the other? No, of course not, because in practice they are very
different.
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin
CEO, Mercenary Linux http://mercenarylinux.com/
Itanium. Vista. GPLv3. Complexity at work
next prev parent reply other threads:[~2007-10-29 10:24 UTC|newest]
Thread overview: 89+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-29 10:01 Linux Security *Module* Framework (Was: LSM conversion to static interface) Rob Meijer
2007-10-29 10:24 ` Crispin Cowan [this message]
2007-10-29 13:32 ` Peter Dolding
-- strict thread matches above, loose matches on Subject: below --
2007-10-29 19:04 Rob Meijer
2007-10-29 19:41 ` Crispin Cowan
2007-10-30 5:13 ` Peter Dolding
2007-10-30 18:42 ` Jan Engelhardt
2007-10-30 19:14 ` Casey Schaufler
2007-10-30 19:50 ` Jan Engelhardt
2007-10-30 23:38 ` Peter Dolding
2007-10-31 0:16 ` david
2007-10-31 2:21 ` Peter Dolding
2007-10-31 3:43 ` Casey Schaufler
2007-10-31 5:08 ` david
2007-10-31 6:43 ` Crispin Cowan
2007-10-31 9:03 ` Peter Dolding
2007-10-31 10:10 ` Toshiharu Harada
2007-11-01 2:04 ` Peter Dolding
2007-11-01 2:20 ` Casey Schaufler
2007-11-01 2:51 ` Peter Dolding
2007-11-01 7:17 ` Jan Engelhardt
2007-11-01 11:49 ` David Newall
2007-11-04 1:28 ` Peter Dolding
2007-11-05 6:56 ` Andrew Morgan
2007-11-05 13:29 ` Serge E. Hallyn
2007-10-29 20:27 ` Casey Schaufler
2007-10-18 2:18 LSM conversion to static interface Linus Torvalds
2007-10-19 20:26 ` Andreas Gruenbacher
2007-10-19 20:40 ` Linus Torvalds
2007-10-20 11:05 ` Jan Engelhardt
2007-10-20 22:57 ` James Morris
2007-10-23 4:09 ` LSM conversion to static interface [revert patch] Arjan van de Ven
2007-10-23 5:16 ` Chris Wright
2007-10-24 0:31 ` Jeremy Fitzhardinge
2007-10-24 5:06 ` Arjan van de Ven
2007-10-24 11:50 ` Linux Security *Module* Framework (Was: LSM conversion to static interface Simon Arlott
2007-10-24 12:55 ` Adrian Bunk
2007-10-24 18:11 ` Linux Security *Module* Framework (Was: LSM conversion to static interface) Simon Arlott
2007-10-24 18:51 ` Jan Engelhardt
2007-10-24 18:59 ` Simon Arlott
2007-10-24 19:04 ` Jan Engelhardt
2007-10-24 21:02 ` David P. Quigley
2007-10-24 21:37 ` Serge E. Hallyn
2007-10-24 21:51 ` Jan Engelhardt
2007-10-24 22:02 ` David P. Quigley
2007-10-24 23:13 ` Jan Engelhardt
2007-10-25 1:50 ` david
2007-10-25 3:50 ` Kyle Moffett
2007-10-24 21:42 ` Jan Engelhardt
2007-10-24 21:58 ` Casey Schaufler
2007-10-24 22:04 ` David P. Quigley
2007-10-25 11:38 ` Simon Arlott
2007-10-24 20:18 ` Crispin Cowan
2007-10-24 20:46 ` Jan Engelhardt
2007-10-24 21:29 ` Casey Schaufler
2007-10-24 22:31 ` Adrian Bunk
2007-10-24 22:58 ` Casey Schaufler
2007-10-24 23:32 ` Adrian Bunk
2007-10-24 23:42 ` Linus Torvalds
2007-10-25 0:41 ` Chris Wright
2007-10-25 2:19 ` Arjan van de Ven
2007-10-30 3:37 ` Toshiharu Harada
2007-10-25 1:03 ` Casey Schaufler
2007-10-25 0:23 ` Chris Wright
2007-10-25 0:35 ` Ray Lee
2007-10-25 1:26 ` Peter Dolding
2007-10-25 1:41 ` Alan Cox
2007-10-25 2:11 ` david
2007-10-25 18:17 ` Ray Lee
2007-10-25 22:21 ` Alan Cox
2007-10-26 3:45 ` david
2007-10-26 5:44 ` Peter Dolding
2007-10-27 18:29 ` Pavel Machek
2007-10-28 18:48 ` Hua Zhong
2007-10-28 19:05 ` Hua Zhong
2007-10-28 22:08 ` Crispin Cowan
2007-10-28 22:50 ` Alan Cox
2007-11-26 20:42 ` serge
2007-10-28 23:55 ` Peter Dolding
2007-10-29 5:12 ` Arjan van de Ven
2007-10-25 9:19 ` Bernd Petrovitsch
2007-10-25 16:04 ` Ray Lee
2007-10-25 17:10 ` Arjan van de Ven
2007-10-30 9:41 ` Bernd Petrovitsch
2007-10-25 1:42 ` Casey Schaufler
2007-10-27 18:22 ` Pavel Machek
2007-10-30 3:23 ` Toshiharu Harada
2007-10-30 8:40 ` Jan Engelhardt
2007-10-30 8:50 ` Crispin Cowan
2007-10-30 9:27 ` Jan Engelhardt
2007-10-30 9:21 ` Toshiharu Harada
2007-10-25 11:44 ` Simon Arlott
2007-10-25 23:09 ` Tilman Schmidt
2007-10-26 2:56 ` Greg KH
2007-10-26 7:09 ` Jan Engelhardt
2007-10-26 15:54 ` Greg KH
2007-10-26 9:46 ` Tilman Schmidt
2007-10-26 15:58 ` Greg KH
2007-10-26 16:32 ` Simon Arlott
2007-10-26 23:26 ` Adrian Bunk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4725B4EA.4060303@crispincowan.com \
--to=crispin@crispincowan.com \
--cc=agruen@suse.de \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=bunk@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=cate@debian.org \
--cc=chrisw@sous-sol.org \
--cc=jengelh@computergmbh.de \
--cc=jeremy@goop.org \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=rmeijer@xs4all.nl \
--cc=simon@fire.lp0.eu \
--cc=thomas_fricacci@yahoo.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox