Re: OWL module implementation

• Previous message: Valdis.Kletnieks@vt.edu: "Re: [PATCH][RFC] Remove kmod_set_label hook"
• In reply to: Jonathan Heusser: "Re: OWL module implementation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jonathan Heusser wrote:

> Crispin Cowan wrote:
>
>> Basically, OWLSM implements what it can and what is needed.
>>
>> It also got used as a place to implement a "no ptrace for root 
>> processes" hack. I'm not sure if that hack is in the BK published 
>> version or not, but it should be. 
>
> I don't really see which features get implemented by which module .. 
> or is there no strict separation
> between the tasks of the modules 'capability' and 'owlsm' ? 

Well, LSM per se is just a framework for modules, so you can put what 
ever you want in modules that *you* develop.

Each module in turn has its own design and purpose.

    * The Capabilities module is strictly intended to reproduce the
      functionality of the POSIX capability features found in the 2.4
      kernel, but in module form.
    * The OWLSM mdoule started out attempting to reproduce as much of
      the Openwall kernel as possible. That turns out to be a grab-bag
      of pathology prevention techniques, so it makes sense to add more
      of those kind of features to OWLSM. In particula:
          o The OWLSM module requires *zero* configuration (other than
            an on/off switch per feature would be nice) so try to stick
            to features that don't need configuring.
          o Many of the other modules don't stack well with each other
            (it makes no sense to use SELinux and LIDS together) but
            OWLSM can (in theory) compose with most of the other
            modules. So try to preserve that composability, too.


> For instance "no ptrace for root processes" might as well fit in the 
> capabilities module in my opinion. 

That could be done, but it would not fit the purpose of the Capabilities 
module.

Crispin

-- 
Crispin Cowan, Ph.D.                      http://wirex.com/~crispin/
Chief Scientist, WireX                    http://wirex.com
HP/Trend Micro Immunix Secured Solutions
http://h18000.www1.hp.com/products/servers/solutions/iis/
			    Just say ".Nyet"


_______________________________________________
linux-security-module mailing list
linux-security-module@mail.wirex.com
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Stephen D. Smalley: "Re: [PATCH][RFC] Remove kmod_set_label hook"
• Previous message: Valdis.Kletnieks@vt.edu: "Re: [PATCH][RFC] Remove kmod_set_label hook"
• In reply to: Jonathan Heusser: "Re: OWL module implementation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Mar 26 2003 - 09:40:27 PST