Re: module's use of security_ops

• Previous message: jmjonesat_private: "Re: module's use of security_ops"
• In reply to: jmjonesat_private: "Re: module's use of security_ops"
• Next in thread: Stephen Smalley: "Re: module's use of security_ops"
• Next in thread: jmjonesat_private: "Re: module's use of security_ops"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jun 08, 2001 at 02:26:36PM -0400, jmjonesat_private wrote:
> Since modules of any kind can be "insmod'd" into the kernel by the admin,
> "total trust" is a pretty liberal policy.

Don't forget that security modules are free to prevent further modules
from being insmodded. I don't suspect many will choose this route, but
it is available for those that wish. One removes the module loading
process by replacing the create_module and init_module system calls.

> > Not exporting the security_ops structure is only an obscurity defense
> > against code that is already assumed to do no harm. If there is kernel
> > code you don't trust, either #ifdef it out, or refuse to load the
> > module (if it comes in that form).
> 
> Okay (sigh).  I think that assumption is unsupportable, but your
> conclusion follows if the assumption is true.

Well, whether or not it is true that kernel code does no harm is another
matter. However, kernel code has complete control over the whole computer.
It sounds like trust to me. :)

> How do I refuse a module loading without knowing if it needs
> security_ops, in a general sense?  Even minimally, exporting does 
> not leave an audit trail...

Just because a module refers (or does not refer) to security_ops *by
name* is no promise that the module does (or does not) *modify*
security_ops. 

> > Or, run a microkernel you do trust. :)
> 
> You throwing me out of Linux altogether? (^_^)

Well, if you don't trust the services the Linux kernel provides, your
options are limited. :) For me, none of my data is important enough to
worry that there is a kernel conspiracy putting bad kernel code into my
computer. I check the gpg signature of the tarball I download, and hope
that is sufficient. I'm not paranoid enough to read every line of code
myself; in my risk analysis, the kernel is not an adversary.

Depending upon your own risk analysis, perhaps you cannot trust the
kernel. In which case, you probably ought to run something else.

:)

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Chris Wright: "Re: module's use of security_ops"
• Previous message: jmjonesat_private: "Re: module's use of security_ops"
• In reply to: jmjonesat_private: "Re: module's use of security_ops"
• Next in thread: Stephen Smalley: "Re: module's use of security_ops"
• Next in thread: jmjonesat_private: "Re: module's use of security_ops"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 08 2001 - 12:11:42 PDT