Jonathan Heusser wrote: > While looking through the code of the 'openwall'-module of LSM I wondered > why there aren't all the features implemented which the real openwall > kernel patch provides? > (in other words: non-exec user stack, restricted /proc, [more?]). No-exec stack is not feasible to do as a module; it requires intrusive hacks into the VM system. /proc is not done because you can control access to /proc through normal access controls, i.e. compose the OWLSM module with one of the access control engines (SELinux, SubDomain, LIDS, etc.). Basically, OWLSM implements what it can and what is needed. It also got used as a place to implement a "no ptrace for root processes" hack. I'm not sure if that hack is in the BK published version or not, but it should be. OWLSM is a good place to add pathology-prevention hacks that are beneficial to a production server, but a little too intrusive to be a native Linux kernel enhancement. So if you have a suggestion for another pathology prevention feature, consider adding it to OWLSM. Crispin -- Crispin Cowan, Ph.D. http://wirex.com/~crispin/ Chief Scientist, WireX http://wirex.com HP/Trend Micro Immunix Secured Solutions http://h18000.www1.hp.com/products/servers/solutions/iis/ Just say ".Nyet" _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Mar 25 2003 - 13:38:00 PST