David Wheeler wrote: > Crispin Cowan <crispinat_private> said: > >Ok. I'm convinced of the validity of fd's for audit purposes. I'm further > >convinced that it would be hard to reconstruct the fd's from other provided > >information. > >What I'm not convinced of is that this needs to go into phase 1. > > I believe fd support _does_ need to be added, in phase 1, to reduce later "API > shuffling". > > There appears to be an understanding that there _will_ be a phase 2 which will > add audit, and an increasing consensus that fd's will have to be added. If the > current hooks don't include fd's, then in phase 2 EVERYONE (including those who > DON'T need fd's) will have to change their modules, in a large variety of > locations. The problem here is that while there will be an *attempt* at Phase 2, it is not clear that the mainline kernel will ever accept it. Phase 1 may well be the last phase. That is NOT how I want things to turn out, but acceptance into the main kernel is not up to us. There exists a heavy bias against audit in the linux kernel community, and it is incumbant upon us to recognize that. This recognition takes at least two forms: * the phase 1/2 strategy itself: don't force the linux crowd to throw the whole of LSM out the door just because they don't like audit * not building half-baked audit stuff into the phase 1 patch "it's prep for phase 2" will not fly. Please understand that I'm trying to get fd's in, for real, and not just accepting them now and getting them bounced out later. I asked for access control motives for fd's, and Casey said: > A file marked with the STDIN bit (on a file system which supports it) may only > be accessed as the STDIN of a process. A file marked NO_STDIN may never be used > as the STDIN of a process. Seth said (paraphrasing) "to support Solar Designer stdin/out/error special handling hack." These appear to be substantially the same issue. Main obstacle: Solar is not on this list. In private mail, Solar said that he likes the project, but that he doesn't have time for another mailing list. So how about someone who is motivated to get fd's into the LSM patch (either SGI or someone else) port some subset of the Solar Designer patch to the LSM+fd parms. We will then have a very well motivated example in hand should anyone in linux kernel space question this decision. And it will be cool :-) Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 16:49:36 PDT