On Fri, 18 Oct 2002 18:33, Christoph Hellwig wrote: > On Fri, Oct 18, 2002 at 06:30:28PM +0200, Russell Coker wrote: > > So how does it harm the mainline kernel to have a system call reserved > > for LSM and then not allow anything in the mainline kernel that uses it? > > Then we can deploy modules using the current LSM design without harming > > the mainline kernel. > > IT adds infrastructure to implement syscalls without peer review. It is no easier to add syscalls without peer revies in the LSM model than it is to add them directly. LSM merely avoids the risk of syscall conflict. Adding syscalls without review starting at a number 1000 greater than the current highest syscall should remove the risk of number conflict to merely a risk of patch conflict. Removing the LSM syscall does not remove this problem. > > The only code that we really want to see in the mainline kernel is the > > hooks for permission checks. Personally I would not mind if no security > > module ever gets included in Linus' source tree. > > And exactly these hooks harm. They are all over the place, have > performance and code size impact and mess up readability. Why can't you > just maintain an external patch like i.e. mosix folks that nead similar > deep changes? One problem with maintaining an external patch that makes lots of deep changes is that any patch of note will conflict with it. For most people who use such patches that's a huge problem. I'm not a great kernel coder, so most of the kernel coding that I do is involved with resolving such patches not actually doing anything interesting. I'd prefer to be able to spend that time on other tasks, which would include working on some of the issues with coreutils we discussed. If we remove make-work tasks from other programmers (such as repeated work to keep a patch up to date and in-sync with other patches) then they can spend their time productively on other tasks. Another issue with LSM is that it's not as easy to test as Mosix. With Mosix you can test that everything works, although these tests may not be easy (Mosix is complex) they can give a satisfactory result. For security you can't test it in an authoritative fashion, if a certain parameter to a syscall results in a permission check being skipped you can't determine this by testing. Part of the solution to this is to have the LSM code in the mainline kernel so we are all working on the same version. Another part is the ongoing research that IBM people are performing on validating kernel hooks. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Oct 18 2002 - 09:56:10 PDT