Matt Block wrote: > From: crispinat_private [mailto:crispinat_private] > > IMHO, the priority sequence for LSM is: > > 1. Finish the current rendition of LSM and get it into the 2.5 > kernel(as Greg said) > > 2. Audit > > 3. Permissive hooks > > Does your humble opinion represent, by any chance, something that can be > viewed > as a guideline? Sort-of. WireX started this project in response to a perceived community need, a perceived opportunity that Linus created when he said he'd be interested in such a thing, and (naturally) because it is in our own interests, because we have our own security enhancements that we wish could be modules. I am the PI (Principle Investigator) on a DARPA contract (Autonomix http://immunix.org/autonomix/ but this web page is a bit out of date) that is, in part, paying for WireX's development efforts on LSM. This means that in principle I direct the guys coming from the wirex.com domain (Chris, Seth, and Steve) but in practice they know more about kernel code than I do, so I mostly provide guidance and let them do what they're good at. LSM is a community project. It will have no purpose at all if the community does not buy into it. "Community" means both the security community (which is famous for squabbling) and the Linux community (which is relatively new at the squabbling business :-) So while I speak with a fairly well-informed voice with a sack of money tied to it, I don't really hold special powers over LSM. > If you are saying that permissive hooks are low priority, but that they > _are_ a recognized goal of the project, then I think I agree; there may > be no need to get them in now, but perhaps something _could_ be put in at > relatively low cost so as to indicate more clearly that this is a > direction in which we think we might want to go. Even just a very low > priority entry on the TODO list would be a great start. It permissive hooks is a complex question. Personally, I don't like them: I prefer the "simple assurance" property of a restrictive-only interface. I recognize the legitimacy of what you can do with permissive hooks, but I don't personally think they're worth the cost. So if/when it comes up again, I will oppose permissive hooks, but not veto them. Within the security community, I know that David Wagner agrees with me on this. Stephen Smalley appears to be on the fence. In the Linux community, we suspect that there will be more resistance to permissive hooks than to restrictive hooks. So even if we were all agreed that permissive hooks were desirable, it would still be a "later, and then only if Linus agrees" item. > Is there a clear list of projects on which help is needed? No, but that's a good idea: * I like Seth's idea (just posted) of implementing BSD-style securelevel with an LSM module. * I'm not sure if JM Jones wants help with the LSM Test Suite. * Greg pointed out at the start of today's "TODO" thread that socket mediation needs work. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Jul 13 2001 - 16:51:29 PDT