ideas on interface (was Be careful please)

• Previous message: Chris Wright: "Re: intercepting system calls"
• Next in thread: David Wagner: "Re: ideas on interface (was Be careful please)"
• Reply: David Wagner: "Re: ideas on interface (was Be careful please)"
• Reply: Huagang Xie: "Re: ideas on interface (was Be careful please)"
• Reply: Philippe Biondi: "Re: ideas on interface (was Be careful please)"
• Reply: Chris Wright: "Re: ideas on interface (was Be careful please)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Wagner, Grant (gmwat_private) wrote:
<snip>
> 
> I know it is more fun to run off and implement a quick and dirty example but
> aren't we jumping the gun?  I don't think  Linux needs a quick and dirty
> security solution. I believe that if we want to actually respond to Linus's
> charge, we need to spend a short time looking at the various approaches and
> then agree on a practical, maximally inclusive approach. After all, if Linus
> simply wanted something not too bad that he could slap into the kernel now,
> he would have chosen one of the existing prototypes. I believe that he
> expects us to come up with a thoughtful design that offers a platform for
> strong security built upon the lessons learned from the existing approaches.

Thanks Grant, this is well put.  I might add that this is an iterative
process, and some of the early hacking/prototyping is useful in grasping
the issues.  So far we have all implemented things in our own way
according to our own needs.  So now we try to collect our needs and
develop an appropriately abstracted interface.  We have been given some
_real_ clues about what Linus will accept, makes sense to follow these ;-)

Linus has suggested an interface geared towards kernel objects, others
would prefer to interpose at the syscall interface.  Porting capabilities
to the interface must be supported, and is a great candidate for the
trial run (this is what we are working on right now).  So...how?
Capabilites defines some level of abstraction (just take a look at
linux/capability.h to see how funcitonality is grouped).  But it also
blends interposition ;-(

We are in favor of the interface conforming to the concept of
protecting kernel objects. whenever possible.  So for example, CAP_SETGID,
CAP_SETUID, CAP_NICE all basically interpose at syscall level.  However,
these are really just protecting data in the task structure.  

See attached "header" file for a rough sketch of an interface that
we'd like to propose/discuss.  (NOTE: this is not compilable code,
simply a way to discuss _how_ to abstract the interface).

-chris

• text/plain attachment: security.h

• Next message: David Wagner: "Re: The bootstrap process"
• Previous message: Chris Wright: "Re: intercepting system calls"
• Next in thread: David Wagner: "Re: ideas on interface (was Be careful please)"
• Reply: David Wagner: "Re: ideas on interface (was Be careful please)"
• Reply: Huagang Xie: "Re: ideas on interface (was Be careful please)"
• Reply: Philippe Biondi: "Re: ideas on interface (was Be careful please)"
• Reply: Chris Wright: "Re: ideas on interface (was Be careful please)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 18:15:32 PDT