Re: Possible system call interface for LSM

• Previous message: Steve Beattie: "Re: Possible system call interface for LSM"
• In reply to: Crispin Cowan: "Re: Possible system call interface for LSM"
• Next in thread: Stephen Smalley: "Re: Possible system call interface for LSM"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* frm crispinat_private "08/09/01 16:52:32 -0700" | sed '1,$s/^/* /'
*
* David Wagner wrote:
* 
*> richard offer  wrote:
*> > I really don't like the idea of forcing the use of the /proc filesystem
*> > just to enable the use of LSM.
*> > 
*> > This could affect the uptake of LSM in the embedded space.
*> 
*> Do we have any evidence from real embedded guys that they actually want
*> to use non-trivial LSM modules?  (Non-trivial enough that they need to be
*> controlled through /proc, that is.)  I don't know whether there are any
*> embedded folks on this list, but maybe this isn't even a problem.
* 
* I'd agree that an embedded system that's fussy about the use of /proc is
* also likely so small that they don't want big LSM modules.

That rules out the use of an LSM policy (SELinux/audit/MAC) on firewalls,
routers and other network devices. 

Its not that they don't have the room for it, but forcing anyone to do
anything before they can use something that you're trying to sell them
makes the job harder.

Its going to be hard enough as it is.


David said :-

* As you say, it needs to be measured.  However, unless I missed something
* above, my view is that, in absence of measurements or other evidence to
* the contrary, we should proceed on the assumption that we can make the
* performance of a /proc-based solution good enough, if we want to do so.

I disagree, our existing code (SELinux, SubDomain, audit, MAC) are all
system call based, as is the rest of unix, unless there are overwelming
technical reasons for not multiplexing a single system call I believe we
should move forward with that.

* 
* Crispin
* 

richard.

-----------------------------------------------------------------------
Richard Offer                     Technical Lead, Trust Technology, SGI
"Specialization is for insects"
_______________________________________________________________________


_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Lachlan McIlroy: "RE: Possible system call interface for LSM"
• Previous message: Steve Beattie: "Re: Possible system call interface for LSM"
• In reply to: Crispin Cowan: "Re: Possible system call interface for LSM"
• Next in thread: Stephen Smalley: "Re: Possible system call interface for LSM"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 17:32:41 PDT