Re: How will LSM evolve?

• Previous message: Kurt Seifried: "Re: How will LSM evolve?"
• In reply to: Charles Levert (LMC): "How will LSM evolve?"
• Next in thread: Charles Levert (LMC): "Re: How will LSM evolve?"
• Next in thread: Chris Wright: "Re: How will LSM evolve?"
• Reply: Charles Levert (LMC): "Re: How will LSM evolve?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[pardon the typos. my 'e' key is flakey]

Charles Levert (LMC) wrote:

>After a discussion with my colleagues today, I wondered about the
>following.  The kernel evolves all the time.  There will always be
>patches available for it; some will be integrated, but others will
>appear.  Assume that, e.g., the IPSec functionality from FreeS/WAN
>would already be in the standard 2.4 kernel from which the LSM effort
>was started.  Further assume that, were that the case, there would
>have been one or more LSM hooks in that IPSec code.
>
>Now, the reality is that IPSec is still a patch.  If, as is the plan,
>LSM is integrated in the standard kernel, and if, later, the IPSec code
>were also to be merged in with new hooks, what would be the consequences:
>	-- for existing object modules ?
>	-- for existing source modules (simple recompilation, or more)?
>
>What will be the general instructions for producing patches that want
>to add new hooks?  In other words, how will LSM evolve once it's in
>the standard kernel?  What will be the issues?
>
Your question is well taken. We even had a long discussion on the 
question of keeping LSM hooks up to date WRT kernel evolution at the 
first LSM BoF last summer. The short answer is "dang, that's hard."  The 
longer answer is a research project that Trent Jaeger @ IBM has 
undertaken: his group is working on "LSM Verification", wherein they can 
hypothetically detect when LSM hooks have been broken, or are 
incomplete. No, I cannot explain that, ask Trent :)

WRT the "status of modules."  Linux has a long-standing policy that 
there is NO guarantee that modules will work across kernel versions. To 
keep your module working between (say) Linux 2.6.17 and 2.6.18, you may 
well have to hack the source to your module as well as re-compile. LSM 
does not propose to change this policy: there are no guarantees, your 
module may well fail for some future kernel version.

Crispin

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html



_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Chris Wright: "Re: How will LSM evolve?"
• Previous message: Kurt Seifried: "Re: How will LSM evolve?"
• In reply to: Charles Levert (LMC): "How will LSM evolve?"
• Next in thread: Charles Levert (LMC): "Re: How will LSM evolve?"
• Next in thread: Chris Wright: "Re: How will LSM evolve?"
• Reply: Charles Levert (LMC): "Re: How will LSM evolve?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Apr 08 2002 - 14:07:47 PDT