Re: Where Are We?

• Previous message: sarnoldat_private: "Re: permissive vs. restrictive issue and solutions..."
• In reply to: jmjonesat_private: "Where Are We?"
• Next in thread: Stephen Smalley: "Re: Where Are We?"
• Next in thread: Casey Schaufler: "Re: Where Are We?"
• Reply: Stephen Smalley: "Re: Where Are We?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mark me down for this summary:

Chris (Other Chris): Move kernel logic into a default security module.
Chain (or in some VERY restricted cases replace) onto that default module
for everyone elses modules.

On Wed, 6 Jun 2001 jmjonesat_private wrote:

>
> How inaccurate are the following summaries?
>
> Dr. Cowen: the smaller the changes to the original kernel code
>            the better, unless ABSOLUTELY necessary.  The idea
>            of "breaking capabilities" out, maybe discarding them
>            altogether.
>
> Professor/Dr. Wagner: There are ways to build "smart logic" into
>           the kernel to flip between options (I think, you're over
>           my head here... jmj)
>
> Stephen Smalley: The minimal invasive hook is to let the kernel
>           have its way, then potentially override it with the module,
>           but capabilities have to stay for political reasons.
>
> Chris Wright: How do we do this in ACTUAL code, I *think* leaning
>           toward Mr. (Dr?) Smalley's method.
>
> JMJONES:  Move as much to the module as necessary, but no more.
>           Leave the maximum number of options in the interface.
>           Create a structure that allows the most variation in
>           module strategy starting from HERE.
>
> Greg K-H: Hahahahaha (probably the smartest of us all (^_^)(jmj)).
>
> Matt B:   Move it ALL to the module, rip it out of the kernel.
> Titus:    Move it ALL to the module, rip it out of the kernel.  Take
>           the "hit points" now.
>
> Jesse Pollard: Move as much security as is possible out of the kernel,
>           share the original security if desired.
>
> Casey Shaufler:  Move a lot to the module, but don't interfere with or
>           discount capabilities, since permissive is inherent in his/her
>           MASTER PLAN.
>
> I apologize to any I got "dead wrong", but could we reduce the argument
> to a statement of 25 words or less for each position, then move from
> there?  Also, I know the above list puts me in the "center"... personal
> privilege, for now.
>
> I'm "on hold" with my modules, and "anything" is beginning rise in
> the ranks of solution(s) here.  I don't want to move forward then
> have to "trash" a lot of code.
>
> Thanks,
> Geoff
>
>
>
> |>------------------------------------------------------
> ||  J. MELVIN JONES            jmjonesat_private
> |>------------------------------------------------------
> ||  Microcomputer Systems Consultant
> ||  Software Developer
> ||  Web Site Design, Hosting, and Administration
> ||  Network and Systems Administration
> |>------------------------------------------------------
> ||  http://www.jmjones.com/
> |>------------------------------------------------------
>
>
> _______________________________________________
> linux-security-module mailing list
> linux-security-moduleat_private
> http://mail.wirex.com/mailman/listinfo/linux-security-module
>


_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Casey Schaufler: "Re: Where Are We?"
• Previous message: sarnoldat_private: "Re: permissive vs. restrictive issue and solutions..."
• In reply to: jmjonesat_private: "Where Are We?"
• Next in thread: Stephen Smalley: "Re: Where Are We?"
• Next in thread: Casey Schaufler: "Re: Where Are We?"
• Reply: Stephen Smalley: "Re: Where Are We?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 06 2001 - 10:13:49 PDT