Re: Defense in depth: LSM *modules*, not a static interface

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Casey Schaufler <casey@schaufler-ca.com>
To: Cliffe <cliffe@ii.net>, Peter Dolding <oiaohm@gmail.com>
Cc: Crispin Cowan <crispin@crispincowan.com>,
	Simon Arlott <simon@fire.lp0.eu>,
	linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: Re: Defense in depth: LSM *modules*, not a static interface
Date: Tue, 6 Nov 2007 19:35:34 -0800 (PST)	[thread overview]
Message-ID: <671729.27434.qm@web36604.mail.mud.yahoo.com> (raw)
In-Reply-To: <4731361D.9030504@ii.net>

--- Cliffe <cliffe@ii.net> wrote:

> As good an idea POSIX capabilities might be,

Now that's a refreshing comment. Thank you.

> not all security problems 
> can be solved with a bitmap of on/off permissions.

There are people (I'm not one of them) who figure that you
can solve all the security problems by applying sufficiently
fine granularity of on/off permissions.

> Peter Dolding wrote:
> <lots o stuff>
> 
> Ok but what happens to the principle of least privilege?
> 
> What if we want AppArmor to confine that application to use a particular 
> set of ports?
> 
> Do you propose having a capability for each port? how about protocols?

While you're at it, how about a capability for each possible
directory entry name?

> So unless my understanding of capabilities is fundamentally flawed 
> (which it may be - I have not spent time reviewing recent changes) 
> obviously Linux capabilities does not provide a solution to every problem.

Of course they don't. The only problem they are intended
to solve, and I really mean this, is the association of uid 0
with privilege. That's it. You would be better off with a single
CAP_GODLIKE than with uid 0 having all privilege all the time.
Fine grained capabilities are a bonus, and there are lots of
people who think that it would be really nifty if there were a
separate capability for each "if" in the kernel. I personally
don't see need for more than about 20. That is a matter of taste.
DG/UX ended up with 330 and I say that's too many.

Casey Schaufler
casey@schaufler-ca.com

next prev parent reply	other threads:[~2007-11-07  3:35 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-10-29 19:04 Linux Security *Module* Framework (Was: LSM conversion to static interface) Rob Meijer
2007-10-29 19:41 ` Crispin Cowan
2007-10-30  5:13   ` Peter Dolding
2007-10-30  7:14     ` Defense in depth: LSM *modules*, not a static interface Cliffe
2007-10-30  6:55       ` Al Viro
2007-10-30  7:55         ` Crispin Cowan
2007-10-30 15:01           ` Casey Schaufler
2007-10-30  8:00         ` Cliffe
2007-10-30 12:30       ` Simon Arlott
2007-11-06  3:46         ` Crispin Cowan
2007-11-06  7:26           ` Cliffe
2007-11-06 23:59             ` Peter Dolding
2007-11-07  3:50               ` Cliffe
2007-11-07  3:35                 ` Casey Schaufler [this message]
2007-11-07  4:11                   ` Tetsuo Handa
2007-11-07  4:34                     ` Peter Dolding
2007-11-07  4:34                     ` Casey Schaufler
2007-10-30 18:42     ` Linux Security *Module* Framework (Was: LSM conversion to static interface) Jan Engelhardt
2007-10-30 19:14       ` Casey Schaufler
2007-10-30 19:50         ` Jan Engelhardt
2007-10-30 23:38       ` Peter Dolding
2007-10-31  0:16         ` david
2007-10-31  2:21           ` Peter Dolding
2007-10-31  3:43             ` Casey Schaufler
2007-10-31  5:08             ` david
2007-10-31  6:43             ` Crispin Cowan
2007-10-31  9:03               ` Peter Dolding
2007-10-31 10:10               ` Toshiharu Harada
2007-11-01  2:04                 ` Peter Dolding
2007-11-01  2:20                   ` Casey Schaufler
2007-11-01  2:51                     ` Peter Dolding
2007-11-01  7:17                       ` Jan Engelhardt
2007-11-01 11:49                         ` David Newall
2007-11-04  1:28                           ` Peter Dolding
2007-11-05  6:56                       ` Andrew Morgan
2007-11-05 13:29                         ` Serge E. Hallyn
2007-10-29 20:27 ` Casey Schaufler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=671729.27434.qm@web36604.mail.mud.yahoo.com \
    --to=casey@schaufler-ca.com \
    --cc=cliffe@ii.net \
    --cc=crispin@crispincowan.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=oiaohm@gmail.com \
    --cc=simon@fire.lp0.eu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox