jmjonesat_private wrote: > On Tue, 14 Aug 2001, Theodore Tso wrote: > > I would suggest that what's most likely to get into the kernel is > > something where the Linux Security Module can be made *optional*. > > I don't believe this is an element of the current design philosophy. Quite > honestly, this reduces it to a combined project by several pre-existing > projects rather than an attempt to apply security to the development of the > Kernel. I disagree, but I'm cheating, 'cause I've heard Ted explain his approach to me in person :-) What he's talking about is to change all of the hooks to be macros, and put #ifdef's in header files so that the Linux kernel config can turn the LSM hooks into true nop's at config time, without dropping conditional compilation into the body of the code. Ted's suggested approach has its costs and benefits. The benefits are fairly obvious, so I won't elaborate. The costs are: * There is resistance to conditional code, because it makes the kernel harder to manage & test. Confining the conditional code to header files mitigates this issue. * There are problems with making some of the hooks macros, because they are used in the code as infix terms in the kernel's code body in if () clauses. Thus the "no LSM" macros have to be carefully constructed to be #define'd as either 1 or 0, depending on context and appropriate defaults. * It compromises the notion of Capabilities as a module. If you disable LSM, you lose Capabilities entirely, so users who don't want LSM also lose Capabilities. I.e. "no LSM" doesn't exactly return you to the status quo kernel. However, none of this means that LSM becomes "a combined project by several pre-existing projects rather than an attempt to apply security to the development of the Kernel." LSM continues to be an abstract API for building access control modules for the Linux kernel. Ted's suggestion is just to make the API's existance optional. That's ok, fundamental things like network routing support is optional too. What Ted's suggestion DOES do is raise another reason why it is infeasible to move the existing kernel DAC logic to a module. If we do that, then it becomes hopeless to make LSM optional, because it would break all security if LSM is removed. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 16:01:41 PDT