Re: LSM Patch Additions for CAPP (C2) Audit Trails

• Previous message: Serge E. Hallyn: "end of attach_pathlabel (was Re: Kernel Security Extensions USENIX BOF Summary)"
• Next in thread: jmjonesat_private: "Re: LSM Patch Additions for CAPP (C2) Audit Trails"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 5 Jul 2001, Crispin Cowan wrote:

>    * Now: sufficient hooks to support access controls.
>    * Later:  try to pitch the mainline kernel group on audit hooks

Thank you, that helps.  Can it be phrased (less succinctly) as an 
interative approach, as follows:

1)  Produce an interface that provides the smallest number of hooks 
    possible that reliably allow a module to further restrict access to
    kernel objects without substantially modifying the kernel logic or 
    structure.  Relevant kernel objects being related to filesystems and 
    IPC (sysv,unix domain,tcp?)
    
2)  Sell the project into the Kernel.

3)  Extend the interface to address other (e.g.,audit) needs in a like
    manner IF some sort of willingness or acknowledgement from the kernel
    developers can be found to support it.

4)  Repeat steps 2 and 3 as other security related needs may be
    identified in the future. (until we run out of steam.)

So, the "wall is sticky" only to patches that:

A) do not modify the effect of the kernel-side logic except to isolate
   the placement of the hook relevant to the current development
   iteration.

B) add hooks ONLY if similar functionality cannot be derived from 
   a combination of existing hooks or (minor) modification of other hooks.
   The issue of granularity is a hard sell, but not a deal breaker.

C) strictly apply only to the current iteration (in the first case,
   restrictive access control to relevant kernel objects.)

Or do I misunderstand? :)   
J. Melvin Jones

|>------------------------------------------------------
||  J. MELVIN JONES            jmjonesat_private 
|>------------------------------------------------------
||  Microcomputer Systems Consultant  
||  Software Developer
||  Web Site Design, Hosting, and Administration
||  Network and Systems Administration
|>------------------------------------------------------
||  http://www.jmjones.com/
|>------------------------------------------------------


_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: jmjonesat_private: "Re: LSM Patch Additions for CAPP (C2) Audit Trails"
• Previous message: Serge E. Hallyn: "end of attach_pathlabel (was Re: Kernel Security Extensions USENIX BOF Summary)"
• Next in thread: jmjonesat_private: "Re: LSM Patch Additions for CAPP (C2) Audit Trails"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 06 2001 - 09:56:27 PDT