Re: 2.5.51 update and owlsm

From: Crispin Cowan (crispinat_private)
Date: Fri Dec 13 2002 - 21:28:35 PST

  • Next message: Greg KH: "Re: 2.5.51 update and owlsm"

    Greg KH wrote:
    
    >I also fixed up the owlsm module, based on the fact that we don't have
    >to have a bunch of "NULL" functions around anymore.  But in doing that I
    >realized that it doesn't have a lot of the default capabilities
    >functionality in it.  Now that the capability functions are exported,
    >this is easy to add, if it's wanted.
    >
    >So should I add this?  Or is owlsm just a "test" module that will never
    >be added to the main kernel tree?
    >
    OWLSM embodies several pathology prevention policies that are ideal for 
    a module:
    
        * root doesn't follow symlinks in selected circumstances
        * non-root can't hard link to files owned by root
        * [new from Yiyang Fei] no ptrace for root processes
    
    These policies are ideal for a module because they:
    
        * add security value for machines you want protected, so you want to
          be able to have them
        * can mess up some development and production environments, so you
          want to be able to remove them
    
    So yes, I think the OWLSM module is ideal for inclusion in the mainline 
    kernel.
    
    It has not been maintained lately, because Chris has other priorities. 
    If someone (Greg?) wants to work on OWLSM to bring it up to speed, that 
    would be great. If not, we'll get to it eventually.
    
    Thanks to Greg for the OWLSM improvements.
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX                      http://wirex.com/~crispin/
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    			    Just say ".Nyet"
    
    
    
    

    _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module



    This archive was generated by hypermail 2b30 : Fri Dec 13 2002 - 21:29:39 PST