From: Crispin Cowan <crispin@crispincowan.com>
To: rmeijer@xs4all.nl
Cc: casey@schaufler-ca.com, Chris Wright <chrisw@sous-sol.org>,
Adrian Bunk <bunk@kernel.org>, Simon Arlott <simon@fire.lp0.eu>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
Jan Engelhardt <jengelh@computergmbh.de>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andreas Gruenbacher <agruen@suse.de>,
Thomas Fricaccia <thomas_fricacci@yahoo.com>,
Jeremy Fitzhardinge <jeremy@goop.org>,
James Morris <jmorris@namei.org>,
Giacomo Catenazzi <cate@debian.org>,
Alan Cox <alan@lxorguk.ukuu.org.uk>
Subject: Re: Linux Security *Module* Framework (Was: LSM conversion to static interface)
Date: Mon, 29 Oct 2007 12:41:46 -0700 [thread overview]
Message-ID: <4726377A.4080807@crispincowan.com> (raw)
In-Reply-To: <10965.80.126.27.205.1193684677.squirrel@webmail.xs4all.nl>
Rob Meijer wrote:
> On Mon, October 29, 2007 11:24, Crispin Cowan wrote:
>
>>> Thus IMHO it may be a good idea to instead of a maintainer for LSM
>>> modules as proposed, alternatively a maintainer for each formal model
>>> may be more appropriate. This also would require module builders to
>>> first
>>> think about what formal model they are actualy using, thus resulting in
>>> cleaner module design.
>>>
>> I *really* dislike this idea. It seems to set up the situation that the
>> only acceptable modules are those that follow some "formal" model.
>> Problems:
>> ...
>> * The proposal only allows a single implementation of each formal
>> model. In theory, theory is just like practice, but in practice it
>> is not. SMACK and SELinux follow substantially similar formal
>> models (not exactly the same) so should we exclude one and keep
>> the other? No, of course not, because in practice they are very
>> different.
>>
> I would think the two may benefit from a role as described above.
> But I was thinking more in the line of new modules that may again
> implement this same model, and would thus benefit from interaction with
> this 'model maintainer' role.
>
Ah! So the proposal really is to have an LSM maintainer for each
"family" of models, acting as a resource and arbiter for modules in a class.
I like that idea, and have no objection to it. However, it does have
resource problems, in that the pool of LSM maintainers is not that
large. There is also the likely objection that this degree of scale is
not needed until at least there are multiple families of models in the
upstream kernel, and possibly until there are multiple instances of a
single family in the upstream kernel.
It also begs the question of what constitutes a family.
* AppArmor, SELinux, and TOMOYO are all ambient capability systems
o AppArmor and TOMOYO are pathname based
o SELinux is label based
* SELinux and SMACK are label-based
o I don't know if SMACK is an ambient capability system
* Rob Meijer implicitly advocated for an object capability LSM
o would it be pathname or label based? You could do either or
both ...
* The LSPP work from RH, Tresys, and TCS is MLS based
o this is a subset of both label-based and ambient capability
based
* I have no clue what family to put MultiADM or Dazuko into
* Getting very formal, I could imagine a Clarke-Wilson module
* Getting very informal, I could imagine a module that is a
collection of cute intrusion prevention hacks, such as the Open
wall Linux symlink and hardlink restrictions, and my own RaceGuard
work
o Oh wait, I published
<http://citeseer.ist.psu.edu/cowan01raceguard.html>
RaceGuard. Does that make it formal? :-)
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin
CEO, Mercenary Linux http://mercenarylinux.com/
Itanium. Vista. GPLv3. Complexity at work
next prev parent reply other threads:[~2007-10-29 19:45 UTC|newest]
Thread overview: 103+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-29 19:04 Linux Security *Module* Framework (Was: LSM conversion to static interface) Rob Meijer
2007-10-29 19:41 ` Crispin Cowan [this message]
2007-10-30 5:13 ` Peter Dolding
2007-10-30 7:14 ` Defense in depth: LSM *modules*, not a static interface Cliffe
2007-10-30 6:55 ` Al Viro
2007-10-30 7:55 ` Crispin Cowan
2007-10-30 15:01 ` Casey Schaufler
2007-10-30 8:00 ` Cliffe
2007-10-30 12:30 ` Simon Arlott
2007-11-06 3:46 ` Crispin Cowan
2007-11-06 7:26 ` Cliffe
2007-11-06 23:59 ` Peter Dolding
2007-11-07 3:50 ` Cliffe
2007-11-07 3:35 ` Casey Schaufler
2007-11-07 4:11 ` Tetsuo Handa
2007-11-07 4:34 ` Peter Dolding
2007-11-07 4:34 ` Casey Schaufler
2007-10-30 18:42 ` Linux Security *Module* Framework (Was: LSM conversion to static interface) Jan Engelhardt
2007-10-30 19:14 ` Casey Schaufler
2007-10-30 19:50 ` Jan Engelhardt
2007-10-30 23:38 ` Peter Dolding
2007-10-31 0:16 ` david
2007-10-31 2:21 ` Peter Dolding
2007-10-31 3:43 ` Casey Schaufler
2007-10-31 5:08 ` david
2007-10-31 6:43 ` Crispin Cowan
2007-10-31 9:03 ` Peter Dolding
2007-10-31 10:10 ` Toshiharu Harada
2007-11-01 2:04 ` Peter Dolding
2007-11-01 2:20 ` Casey Schaufler
2007-11-01 2:51 ` Peter Dolding
2007-11-01 7:17 ` Jan Engelhardt
2007-11-01 11:49 ` David Newall
2007-11-04 1:28 ` Peter Dolding
2007-11-05 6:56 ` Andrew Morgan
2007-11-05 13:29 ` Serge E. Hallyn
2007-10-29 20:27 ` Casey Schaufler
-- strict thread matches above, loose matches on Subject: below --
2007-10-29 10:01 Rob Meijer
2007-10-29 10:24 ` Crispin Cowan
2007-10-29 13:32 ` Peter Dolding
2007-10-18 2:18 LSM conversion to static interface Linus Torvalds
2007-10-19 20:26 ` Andreas Gruenbacher
2007-10-19 20:40 ` Linus Torvalds
2007-10-20 11:05 ` Jan Engelhardt
2007-10-20 22:57 ` James Morris
2007-10-23 4:09 ` LSM conversion to static interface [revert patch] Arjan van de Ven
2007-10-23 5:16 ` Chris Wright
2007-10-24 0:31 ` Jeremy Fitzhardinge
2007-10-24 5:06 ` Arjan van de Ven
2007-10-24 11:50 ` Linux Security *Module* Framework (Was: LSM conversion to static interface Simon Arlott
2007-10-24 12:55 ` Adrian Bunk
2007-10-24 18:11 ` Linux Security *Module* Framework (Was: LSM conversion to static interface) Simon Arlott
2007-10-24 18:51 ` Jan Engelhardt
2007-10-24 18:59 ` Simon Arlott
2007-10-24 19:04 ` Jan Engelhardt
2007-10-24 21:02 ` David P. Quigley
2007-10-24 21:37 ` Serge E. Hallyn
2007-10-24 21:51 ` Jan Engelhardt
2007-10-24 22:02 ` David P. Quigley
2007-10-24 23:13 ` Jan Engelhardt
2007-10-25 1:50 ` david
2007-10-25 3:50 ` Kyle Moffett
2007-10-24 21:42 ` Jan Engelhardt
2007-10-24 21:58 ` Casey Schaufler
2007-10-24 22:04 ` David P. Quigley
2007-10-25 11:38 ` Simon Arlott
2007-10-24 20:18 ` Crispin Cowan
2007-10-24 20:46 ` Jan Engelhardt
2007-10-24 21:29 ` Casey Schaufler
2007-10-24 22:31 ` Adrian Bunk
2007-10-24 22:58 ` Casey Schaufler
2007-10-24 23:32 ` Adrian Bunk
2007-10-24 23:42 ` Linus Torvalds
2007-10-25 0:41 ` Chris Wright
2007-10-25 2:19 ` Arjan van de Ven
2007-10-30 3:37 ` Toshiharu Harada
2007-10-25 1:03 ` Casey Schaufler
2007-10-25 0:23 ` Chris Wright
2007-10-25 0:35 ` Ray Lee
2007-10-25 1:26 ` Peter Dolding
2007-10-25 1:41 ` Alan Cox
2007-10-25 2:11 ` david
2007-10-25 18:17 ` Ray Lee
2007-10-25 22:21 ` Alan Cox
2007-10-26 3:45 ` david
2007-10-26 5:44 ` Peter Dolding
2007-10-27 18:29 ` Pavel Machek
2007-10-28 18:48 ` Hua Zhong
2007-10-28 19:05 ` Hua Zhong
2007-10-28 22:08 ` Crispin Cowan
2007-10-28 22:50 ` Alan Cox
2007-11-26 20:42 ` serge
2007-10-28 23:55 ` Peter Dolding
2007-10-29 5:12 ` Arjan van de Ven
2007-10-25 9:19 ` Bernd Petrovitsch
2007-10-25 16:04 ` Ray Lee
2007-10-25 17:10 ` Arjan van de Ven
2007-10-30 9:41 ` Bernd Petrovitsch
2007-10-25 1:42 ` Casey Schaufler
2007-10-27 18:22 ` Pavel Machek
2007-10-30 3:23 ` Toshiharu Harada
2007-10-30 8:40 ` Jan Engelhardt
2007-10-30 8:50 ` Crispin Cowan
2007-10-30 9:27 ` Jan Engelhardt
2007-10-30 9:21 ` Toshiharu Harada
2007-10-25 11:44 ` Simon Arlott
2007-10-25 23:09 ` Tilman Schmidt
2007-10-26 2:56 ` Greg KH
2007-10-26 7:09 ` Jan Engelhardt
2007-10-26 15:54 ` Greg KH
2007-10-26 9:46 ` Tilman Schmidt
2007-10-26 15:58 ` Greg KH
2007-10-26 16:32 ` Simon Arlott
2007-10-26 23:26 ` Adrian Bunk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4726377A.4080807@crispincowan.com \
--to=crispin@crispincowan.com \
--cc=agruen@suse.de \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=bunk@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=cate@debian.org \
--cc=chrisw@sous-sol.org \
--cc=jengelh@computergmbh.de \
--cc=jeremy@goop.org \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=rmeijer@xs4all.nl \
--cc=simon@fire.lp0.eu \
--cc=thomas_fricacci@yahoo.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox