Re: OWL module implementation

From: Crispin Cowan (crispinat_private)
Date: Wed Mar 26 2003 - 09:39:45 PST

  • Next message: Stephen D. Smalley: "Re: [PATCH][RFC] Remove kmod_set_label hook"

    Jonathan Heusser wrote:
    > Crispin Cowan wrote:
    >> Basically, OWLSM implements what it can and what is needed.
    >> It also got used as a place to implement a "no ptrace for root 
    >> processes" hack. I'm not sure if that hack is in the BK published 
    >> version or not, but it should be. 
    > I don't really see which features get implemented by which module .. 
    > or is there no strict separation
    > between the tasks of the modules 'capability' and 'owlsm' ? 
    Well, LSM per se is just a framework for modules, so you can put what 
    ever you want in modules that *you* develop.
    Each module in turn has its own design and purpose.
        * The Capabilities module is strictly intended to reproduce the
          functionality of the POSIX capability features found in the 2.4
          kernel, but in module form.
        * The OWLSM mdoule started out attempting to reproduce as much of
          the Openwall kernel as possible. That turns out to be a grab-bag
          of pathology prevention techniques, so it makes sense to add more
          of those kind of features to OWLSM. In particula:
              o The OWLSM module requires *zero* configuration (other than
                an on/off switch per feature would be nice) so try to stick
                to features that don't need configuring.
              o Many of the other modules don't stack well with each other
                (it makes no sense to use SELinux and LIDS together) but
                OWLSM can (in theory) compose with most of the other
                modules. So try to preserve that composability, too.
    > For instance "no ptrace for root processes" might as well fit in the 
    > capabilities module in my opinion. 
    That could be done, but it would not fit the purpose of the Capabilities 
    Crispin Cowan, Ph.D.            
    Chief Scientist, WireX          
    HP/Trend Micro Immunix Secured Solutions
    			    Just say ".Nyet"
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Wed Mar 26 2003 - 09:40:27 PST