Re: LSM Openwall Port

From: Chris Wright (chrisw@private)
Date: Tue Dec 09 2003 - 11:13:58 PST

  • Next message: James Morris: "[RFC] SO_PEERSEC - security credentials for Unix stream sockets"

    * Marco Fister (marco@private) wrote:
    > Hi everybody!
    > I'm actually writing an German overview about security enhancements provided by LSM-Modules.
    > I can't find any further documentation about the LSM Openwall port, just the original FAQ and README. May anyone can tell me which main concepts of the original patch were ported into the LSM-Module?
    Taken from the Kconfig:
              The Openwall kernel patch consists of 8 parts:
              Owlsm currently implements the CONFIG_SECURE_LINK,
              Owlsm does not currently implement the CONFIG_SECURE_FIFO
              and CONFIG_SECURE_PROC.
              Owlsm probably will not implement the CONFIG_SECURE_STACK,
              CONFIG_SECURE_STACK_SMART, CONFIG_SECURE_SHM portions of the
              Openwall kernel patch. The stack patches do not naturally lend
              themselves to implementation via LSM. CONFIG_SECURE_SHM is no
              longer needed in the >= 2.4 kernel. In the 2.2 kernel, memory
              was allocated when the shared memory segment was created. The
              2.4 kernel delays allocating memory until the segment is
              used. Thus, the resource exhaustion that this patch was meant to
              protect against is not an issue. shmid exhaustion is possible,
              but impact of this is low and the invasiveness of the kernel
              changes required to port this piece to LSM is so high as to
              not justify doing it. In order to port the CONFIG_SECURE_SHM
              to LSM, a new hook would have to be added to shm_close and the
              symbols shm_destroy(), ipc_lock(), ipc_unlock(), and shm_ids
              would have to be exported.
    Linux Security Modules

    This archive was generated by hypermail 2b30 : Tue Dec 09 2003 - 11:15:02 PST