Re: permissive vs. restrictive issue and solutions...

• Previous message: jmjonesat_private: "Re: permissive vs. restrictive issue and solutions..."
• In reply to: jmjonesat_private: "Re: permissive vs. restrictive issue and solutions..."
• Next in thread: jmjonesat_private: "Re: permissive vs. restrictive issue and solutions..."
• Next in thread: David Wagner: "Re: permissive vs. restrictive issue and solutions..."
• Reply: jmjonesat_private: "Re: permissive vs. restrictive issue and solutions..."
• Reply: jmjonesat_private: "Re: permissive vs. restrictive issue and solutions..."
• Reply: David Wagner: "Re: permissive vs. restrictive issue and solutions..."
• Reply: Stephen Smalley: "Re: permissive vs. restrictive issue and solutions..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

jmjonesat_private wrote:

> On Sat, 2 Jun 2001 Valdis.Kletnieksat_private wrote:
> Whenever you introduce "options", you divide the audience into
> subaudiences with differing objectives for evaluating the
> implementation.  Since you have fewer people in "each camp", you
> have fewer people looking at each solution.

So following this argument, the security elements that are (likely) common to
most security opions should be in the kernel, and those elements that are not
common should be in a module.  This was the thought behind the original design,
which leaves classic UNIX permissions in the kernel (because everyone uses them)
and moving Capabilities to a module (because few people use them).

The problem is that this separation has been found to be uncomfortable, because
of the tension between the common desire for a restrictive-only LSM interface,
and the occasional desire for permissive security controls.


> The addition of chaining/stacking opens other opportunities for
> a "commonly reviewable resource", in the same fashion that the
> current "standard capability_plug" module needs to be reviewed

Yep, that was the original design, too.

So here's yet another idea:  split the LSM interface into two parts, permissive
and restrictive.  Designers that want purely restrictive functionality use only
the restrictive parts, and thus get easier/higher assurance. Those who want
permissive functionality can turn it on if they need it.

"Split" may be an over-statement.  Perhaps just a global switch that can disable
the permissive interfaces would suffice?  Then a module designer could turn off
permissiveness, and be assured that their module will "at least do no harm."

Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com//Products/Immunix/purchase.html


_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: jmjonesat_private: "Re: permissive vs. restrictive issue and solutions..."
• Previous message: jmjonesat_private: "Re: permissive vs. restrictive issue and solutions..."
• In reply to: jmjonesat_private: "Re: permissive vs. restrictive issue and solutions..."
• Next in thread: jmjonesat_private: "Re: permissive vs. restrictive issue and solutions..."
• Next in thread: David Wagner: "Re: permissive vs. restrictive issue and solutions..."
• Reply: jmjonesat_private: "Re: permissive vs. restrictive issue and solutions..."
• Reply: jmjonesat_private: "Re: permissive vs. restrictive issue and solutions..."
• Reply: David Wagner: "Re: permissive vs. restrictive issue and solutions..."
• Reply: Stephen Smalley: "Re: permissive vs. restrictive issue and solutions..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jun 02 2001 - 16:12:28 PDT