On Fri, Oct 18, 2002 at 12:04:00AM -0700, Crispin Cowan wrote: > >I know. but hiding them doesn't make them any better.. > > > Actuall, yes it does, and that is the point. You don't have to like > SELinux's system calls, or any other module's syscalls. The whole point > of LSM was to decouple security design from the Linux kernel development. But I dislike the notation of module syscalls. Syscalls are a global thing and they shall not be registered without proper review from all kernel developers. Driver development is untangled from kernel development, too and it doesn;t need syscalls. > There are a butt-load of different access control models, and many of > them are not compatible with one another. You wouldn't want to support > them all--that would be serious bloat. So instead, LSM lets each user > choose the model that suits them: Fucking no! Don't add syscall interfaces without review. Adding a new syscall for a "security modules" is sign that you got your design wrong. > * server users can choose a highly secure model > * workstation users can choose something desktop oriented > * embedded people can choose nothing at all, or the specific > narrow-cast model that they need Blah, blah, blah. You don't get more security by pluggin in a buggy module. > On the other hand: what is the big cost here? One system call. Isn't > that actually *lower* overhead than the (say) half dozen > security-oriented syscalls we might convince you to accept if we drop > the sys_security syscall as you suggest? Why the fierce desire to remove > something so cheap? It's the broken design. Look at windows: it has tons of cheap features - and exactly because of that it's such a piece of crap. _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Oct 18 2002 - 05:51:22 PDT