From: James Morris <jmorris@namei.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: casey@schaufler-ca.com,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel
Date: Mon, 1 Oct 2007 04:33:05 -0700 (PDT) [thread overview]
Message-ID: <Xine.LNX.4.64.0710010146100.13671@us.intercode.com.au> (raw)
In-Reply-To: <20070930011618.ccb8351b.akpm@linux-foundation.org>
On Sun, 30 Sep 2007, Andrew Morton wrote:
> So with the information which I presently have available to me, I'm
> thinking that this should go into 2.6.24.
I think the decision to merge Smack is something that needs to be
considered in the wider context of overall security architecture.
Smack itself looks fine. It seems like clean code with interesting ideas,
and appears to be based upon sound principles.
Merging Smack, however, would lock the kernel into the LSM API.
Presently, as SELinux is the only in-tree user, LSM can still be removed.
LSM's weak semantics and pervasive deep hooking of the kernel means that
we'll have to continue dealing with several unpleasant issues, such as the
abuse of the API by out of tree vendors, with a proliferation of
binary/proprietary modules which typically maladapt the API for arbitrary
purposes and/or use dangerous techniques. We will continue to waste
resources maintaining this capability for them.
On a broader scale, we'll miss the potential of Linux having a coherent,
semantically strong security architecture. I have written about this in
some detail before: http://lwn.net/Articles/240019/
Briefly, SELinux is a security architecture. It provides an extremely
high degree of flexibility, in terms of both the types of security models
implemented, and security policy for those models. It allows controlled
composition of different security models, with a common policy language
framework, allowing the entire system to be analyzed. The same ideas and
even code can be reused beyond the kernel as post-DAC security is extended
into databases, the desktop, distributed applications etc. It is a
framework which provides a structured, coherent view of the security of
the OS (and ultimately, the entire distributed environment).
If LSM remains, security will never be a first class citizen of the
kernel. Application developers will see multiple security schemes, and
either burn themselves trying to support them, or more likely, ignore
them.
Core kernel developers will continue to not have enough information to
understand what the LSM hooks in their code are supposed to be doing,
leading to long term maintenance issues and potential security problems.
LSM will remain a magnet for bad ideas. There's a reason we don't have
pluggable network stacks, and we are lucky to have had a unified
networking framework maintained by people who know to say no to things
like STREAMS and TOE. I would question whether this quality of
maintainership would exist if the networking core was simply a bunch of
deep hooks into which people dumped arbitrary custom stacks.
LSM will prevent us from making systemic improvements to security, as
there will be no common security architecture. Things like Netfilter
would not have been viable with a kernel which simply provided a bunch of
hooks for networking stacks and an assortment of implementations.
Much of this we have learned from the experience of LSM, and I think it
has been valuable for that, but I think we need to consider now whether we
are going to continue down this track in a permanent manner.
- James
--
James Morris
<jmorris@namei.org>
next prev parent reply other threads:[~2007-10-01 11:33 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-09-30 0:20 [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel Casey Schaufler
2007-09-30 8:16 ` Andrew Morton
2007-09-30 8:42 ` Andi Kleen
2007-09-30 17:14 ` Casey Schaufler
2007-09-30 17:34 ` Andi Kleen
2007-09-30 23:24 ` david
2007-09-30 17:29 ` Joshua Brindle
2007-09-30 17:39 ` Andi Kleen
2007-09-30 19:07 ` Theodore Tso
2007-09-30 20:05 ` Andi Kleen
2007-09-30 20:22 ` Theodore Tso
2007-10-01 20:28 ` Casey Schaufler
2007-09-30 20:18 ` Paul Moore
2007-09-30 9:53 ` Christoph Hellwig
2007-09-30 17:19 ` Casey Schaufler
2007-10-02 8:36 ` Thomas Bleher
2007-09-30 17:02 ` Casey Schaufler
2007-09-30 20:30 ` Paul Moore
2007-10-01 11:33 ` James Morris [this message]
2007-10-01 15:07 ` Linus Torvalds
2007-10-01 15:40 ` Stephen Smalley
2007-10-01 16:04 ` Linus Torvalds
2007-10-01 17:54 ` Olivier Galibert
2007-10-02 21:02 ` Bill Davidsen
2007-10-02 21:20 ` Linus Torvalds
2007-10-02 23:25 ` Linus Torvalds
2007-10-03 0:12 ` Alan Cox
2007-10-04 22:56 ` Derek Fawcus
2007-10-04 23:18 ` Chuck Ebbert
2007-10-04 23:44 ` Derek Fawcus
2007-10-03 5:32 ` Crispin Cowan
2007-10-03 3:54 ` Bill Davidsen
2007-10-03 4:52 ` Linus Torvalds
2007-10-05 1:44 ` Eric W. Biederman
2007-10-05 3:04 ` Kyle Moffett
2007-10-05 4:45 ` Eric W. Biederman
2007-10-05 5:48 ` Kyle Moffett
2007-10-05 16:27 ` Casey Schaufler
2007-10-05 18:42 ` Stephen Smalley
2007-10-05 20:08 ` Casey Schaufler
2007-10-05 20:11 ` Eric W. Biederman
2007-10-08 17:50 ` Casey Schaufler
2007-10-08 18:47 ` Eric W. Biederman
2007-10-08 18:53 ` Serge E. Hallyn
2007-10-08 21:05 ` Casey Schaufler
2007-10-08 16:18 ` Serge E. Hallyn
2007-10-08 17:31 ` Casey Schaufler
2007-10-09 13:52 ` Stephen Smalley
2007-10-09 16:02 ` Casey Schaufler
2007-10-08 23:24 ` Bill Davidsen
2007-10-08 16:06 ` Serge E. Hallyn
2007-10-08 17:20 ` Eric W. Biederman
2007-10-08 18:00 ` Serge E. Hallyn
2007-10-08 19:29 ` Eric W. Biederman
2007-10-08 19:50 ` Eric W. Biederman
2007-10-08 20:39 ` Casey Schaufler
2007-10-08 21:02 ` Eric W. Biederman
2007-10-08 21:20 ` Alan Cox
2007-10-10 13:48 ` Eric W. Biederman
2007-10-10 15:45 ` Stephen Smalley
2007-10-10 17:57 ` Casey Schaufler
2007-10-11 10:46 ` Kyle Moffett
2007-10-11 15:41 ` Casey Schaufler
2007-10-11 18:53 ` Kyle Moffett
2007-10-11 20:09 ` Alan Cox
2007-10-08 21:51 ` Crispin Cowan
2007-10-30 4:01 ` Kazuki Omo(Company)
2007-10-30 15:07 ` Casey Schaufler
2007-10-08 20:25 ` Casey Schaufler
2007-10-08 20:57 ` Eric W. Biederman
2007-10-06 19:14 ` Bill Davidsen
2007-10-03 0:10 ` Alan Cox
2007-10-03 0:18 ` Linus Torvalds
2007-10-01 16:39 ` Casey Schaufler
2007-10-01 19:00 ` Theodore Tso
2007-10-01 15:38 ` Casey Schaufler
2007-10-01 20:49 ` Jan Engelhardt
2007-10-01 3:47 ` Serge E. Hallyn
2007-10-01 4:15 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Xine.LNX.4.64.0710010146100.13671@us.intercode.com.au \
--to=jmorris@namei.org \
--cc=akpm@linux-foundation.org \
--cc=casey@schaufler-ca.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox