Re: module's use of security_ops

From: sarnoldat_private
Date: Fri Jun 08 2001 - 12:05:17 PDT

  • Next message: Chris Wright: "Re: module's use of security_ops"

    On Fri, Jun 08, 2001 at 02:26:36PM -0400, jmjonesat_private wrote:
    > Since modules of any kind can be "insmod'd" into the kernel by the admin,
    > "total trust" is a pretty liberal policy.
    
    Don't forget that security modules are free to prevent further modules
    from being insmodded. I don't suspect many will choose this route, but
    it is available for those that wish. One removes the module loading
    process by replacing the create_module and init_module system calls.
    
    > > Not exporting the security_ops structure is only an obscurity defense
    > > against code that is already assumed to do no harm. If there is kernel
    > > code you don't trust, either #ifdef it out, or refuse to load the
    > > module (if it comes in that form).
    > 
    > Okay (sigh).  I think that assumption is unsupportable, but your
    > conclusion follows if the assumption is true.
    
    Well, whether or not it is true that kernel code does no harm is another
    matter. However, kernel code has complete control over the whole computer.
    It sounds like trust to me. :)
    
    > How do I refuse a module loading without knowing if it needs
    > security_ops, in a general sense?  Even minimally, exporting does 
    > not leave an audit trail...
    
    Just because a module refers (or does not refer) to security_ops *by
    name* is no promise that the module does (or does not) *modify*
    security_ops. 
    
    > > Or, run a microkernel you do trust. :)
    > 
    > You throwing me out of Linux altogether? (^_^)
    
    Well, if you don't trust the services the Linux kernel provides, your
    options are limited. :) For me, none of my data is important enough to
    worry that there is a kernel conspiracy putting bad kernel code into my
    computer. I check the gpg signature of the tarball I download, and hope
    that is sufficient. I'm not paranoid enough to read every line of code
    myself; in my risk analysis, the kernel is not an adversary.
    
    Depending upon your own risk analysis, perhaps you cannot trust the
    kernel. In which case, you probably ought to run something else.
    
    :)
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Fri Jun 08 2001 - 12:11:42 PDT