Re: intercepting system calls

• Previous message: Casey Schaufler: "Re: Other LSM modules (i.e. ACLs)"
• In reply to: Celestial Wizard: "Re: intercepting system calls"
• Next in thread: Crispin Cowan: "intercepting system calls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Celestial Wizard wrote:

> What about having the kernel store it somewhere (encrypted partition / fs ?)
> that is accesible via VFS (?) so that you cant read it past boot.

You're re-inventing security meta data.  What you describe is a specific
implementation that stores security meta data.  The method you describe is a
fine method for some particular security module to employ.  However, because
various security systems take such divergent approaches to storing meta data,
LSM should not impose an opinion on a "best" method.

Crispin


>
> the only way to write to this data area, is via a specific runlevel (i know
> adding a new run level) that is used only for editing security policies.
> when attempting to start in runlevel securityedit, must enter password (not
> root passwd!!!!), or key (PKI ?), enter a disk containing key (again PKI?)
> before access to that runlevel is allowed.
>
> for normal boot, kernel reads this data and stores it somewhere.  once read,
> access (capability?) is then taken out of the kernel for that operation.  i
> dont think that storing it in memory would be a security risk, as if
> userland / bad guy (tm) can read kernel memory, there is no security anyway.
> however, resources might be an issue (not sure??)
>
> --
>
>   The Celestial Wizard
>   President - South East Brisbane Linux Users Group
>   http://merlin.hatfields.com.au/seblug/
>
>   Red Hat Certified Engineer
>   Master RedHat Linux Administrator Certification - Brainbench
>   Master WindowsNT Administrator Certification - Brainbench
>
>   I don't speak for Microsoft. So please don't speak for me.
>
> _______________________________________________
> linux-security-module mailing list
> linux-security-moduleat_private
> http://mail.wirex.com/mailman/listinfo/linux-security-module

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org




_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Crispin Cowan: "Re: intercepting system calls"
• Previous message: Casey Schaufler: "Re: Other LSM modules (i.e. ACLs)"
• In reply to: Celestial Wizard: "Re: intercepting system calls"
• Next in thread: Crispin Cowan: "intercepting system calls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Apr 16 2001 - 10:04:51 PDT