Re: OWL module implementation

From: Crispin Cowan (crispinat_private)
Date: Tue Mar 25 2003 - 13:37:24 PST

  • Next message: Chris Wright: "[PATCH][RFC] Remove inode_permission_lite hook"

    Jonathan Heusser wrote:
    > While looking through the code of the 'openwall'-module of LSM I wondered
    > why there aren't all the features implemented which the real openwall 
    > kernel patch provides?
    > (in other words: non-exec user stack, restricted /proc, [more?]). 
    No-exec stack is not feasible to do as a module; it requires intrusive 
    hacks into the VM system.
    /proc is not done because you can control access to /proc through normal 
    access controls, i.e. compose the OWLSM module with one of the access 
    control engines (SELinux, SubDomain, LIDS, etc.).
    Basically, OWLSM implements what it can and what is needed.
    It also got used as a place to implement a "no ptrace for root 
    processes" hack. I'm not sure if that hack is in the BK published 
    version or not, but it should be.
    OWLSM is a good place to add pathology-prevention hacks that are 
    beneficial to a production server, but a little too intrusive to be a 
    native Linux kernel enhancement. So if you have a suggestion for another 
    pathology prevention feature, consider adding it to OWLSM.
    Crispin Cowan, Ph.D.            
    Chief Scientist, WireX          
    HP/Trend Micro Immunix Secured Solutions
    			    Just say ".Nyet"
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Tue Mar 25 2003 - 13:38:00 PST