Crispin Cowan wrote: > buddy wrote: > > > However, this does *not* offer complete protection. It might even > > introduce vulnerabilities, 'cause if I can hook into the kernel to prevent > > something from happening, my paranoid other half realizes that someone > > else could as well. > > > > I can set all the permissions I want, but if someone thrashes my DNS, > > I'm screwed. (So do we want to hook into signal() to catch segfaults?) > > If someone takes an axe to my webserver, I'm screwed. (So do we want > > to hook into the webcam driver so we can detect motions in the server room?) > > I think you're missing the concept. You need root privileges to be able to load > modules. Many of the security modules will actually disable further module > loading and unloading. So once your machine is booted and running the security > module of your choice, the LSM interface does not present an additional threat, > regardless of what someone does to (say) your DNS server. I was trying to express my concern about where the discussion is going. I'm sorry if I wasn't clear enough. If we had carte blanche we could hook into *all* kernel objects and functions. But Linus has made it quite clear that LSM's impact on the kernel code proper has to be limited - and of course, that makes sense. If it turns out that these limits still allow for every conceivable and favourable hook we can think of, that's just perfect. I don't think this will happen though, so we'll have to make decisions about LSM's features and forget about the ones we don't need. <sarcasm> After all the plugs from people promoting their own solutions to a problem that has not even been defined, we now have a list of hook candidates, comprising "basic kernel service, filesystems, capabilities, network, IPC, and more." Brilliant, we cover everything. </sarcasm> Now, the only thing I'm trying to say here, is that nobody seems to care about the reason *why* you would want to hook into, say, sys_fork(). There has been no discussion about the actual threats and insecurities that we want to cover. If you don't think that that matters, think again. As an example, needing root privileges in order to (un)load modules doesn't make me feel any safer, but apparently I'm more paranoid than you are. ;-) I'm worried about all those people relying on their LKM notifying them of a root compromise, and being owned all the same. I'm not saying that LSM will add insecurity to the kernel. What I'm addressing is the problem that the police face: if you want to carry a gun to protect people, you'd better protect the gun too. Besides, the police's primary task is not to carry a gun, but to protect people. > Crispin > > P.S. My thanks to Huagang for actually providing the spec of desired hooks for > LIDS. That's what we really need to be discussing here. I'm certainly not trying to start a broad, general discussion about computer security. I can't wait either to get something done. But not just anything. So, while I appreciate Huagang's effort and input, I thought I'd take the opportunity to discuss the *really* difficult stuff related to security, and how that is connected to LSM. Cheers, Buddy > -- > Crispin Cowan, Ph.D. > Chief Scientist, WireX Communications, Inc. http://wirex.com > Security Hardened Linux Distribution: http://immunix.org _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Apr 19 2001 - 02:41:18 PDT