Re: Making forward progress

From: Crispin Cowan (crispinat_private)
Date: Tue Aug 14 2001 - 16:00:20 PDT

  • Next message: Greg KH: "Re: Possible system call interface for LSM"

    jmjonesat_private wrote:
    
    > On Tue, 14 Aug 2001, Theodore Tso wrote:
    > > I would suggest that what's most likely to get into the kernel is
    > > something where the Linux Security Module can be made *optional*.
    >
    > I don't believe this is an element of the current design philosophy. Quite
    > honestly, this reduces it to a combined project by several pre-existing
    > projects rather than an attempt to apply security to the development of the
    > Kernel.
    
    I disagree, but I'm cheating, 'cause I've heard Ted explain his approach to
    me in person :-)  What he's talking about is to change all of the hooks to be
    macros, and put #ifdef's in header files so that the Linux kernel config can
    turn the LSM hooks into true nop's at config time, without dropping
    conditional compilation into the body of the code.
    
    Ted's suggested approach has its costs and benefits.  The benefits are fairly
    obvious, so I won't elaborate.  The costs are:
    
       * There is resistance to conditional code, because it makes the kernel
         harder to manage & test.  Confining the conditional code to header files
         mitigates this issue.
       * There are problems with making some of the hooks macros, because they
         are used in the code as infix terms in the kernel's code body in if
         () clauses.  Thus the "no LSM" macros have to be carefully constructed
         to be #define'd as either 1 or 0, depending on context and appropriate
         defaults.
       * It compromises the notion of Capabilities as a module.  If you disable
         LSM, you lose Capabilities entirely, so users who don't want LSM also
         lose Capabilities.  I.e. "no LSM" doesn't exactly return you to the
         status quo kernel.
    
    However, none of this means that LSM becomes "a combined project by several
    pre-existing projects rather than an attempt to apply security to the
    development of the Kernel."  LSM continues to be an abstract API for building
    access control modules for the Linux kernel.  Ted's suggestion is just to
    make the API's existance optional.  That's ok, fundamental things like
    network routing support is optional too.
    
    What Ted's suggestion DOES do is raise another reason why it is infeasible to
    move the existing kernel DAC logic to a module.  If we do that, then it
    becomes hopeless to make LSM optional, because it would break all security if
    LSM is removed.
    
    Crispin
    
    --
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX Communications, Inc. http://wirex.com
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 16:01:41 PDT