* Marco Fister (marco@private) wrote:
> Hi everybody!
>
> I'm actually writing an German overview about security enhancements provided by LSM-Modules.
>
> I can't find any further documentation about the LSM Openwall port, just the original FAQ and README. May anyone can tell me which main concepts of the original patch were ported into the LSM-Module?
Taken from the Kconfig:
The Openwall kernel patch consists of 8 parts:
CONFIG_SECURE_STACK, CONFIG_SECURE_STACK_SMART,
CONFIG_SECURE_LINK, CONFIG_SECURE_FIFO, CONFIG_SECURE_PROC,
CONFIG_SECURE_FD_0_1_2, CONFIG_SECURE_RLIMIT_NPROC, and
CONFIG_SECURE_SHM.
Owlsm currently implements the CONFIG_SECURE_LINK,
CONFIG_SECURE_FD_0_1_2, and CONFIG_SECURE_RLIMIT_NPROC.
Owlsm does not currently implement the CONFIG_SECURE_FIFO
and CONFIG_SECURE_PROC.
Owlsm probably will not implement the CONFIG_SECURE_STACK,
CONFIG_SECURE_STACK_SMART, CONFIG_SECURE_SHM portions of the
Openwall kernel patch. The stack patches do not naturally lend
themselves to implementation via LSM. CONFIG_SECURE_SHM is no
longer needed in the >= 2.4 kernel. In the 2.2 kernel, memory
was allocated when the shared memory segment was created. The
2.4 kernel delays allocating memory until the segment is
used. Thus, the resource exhaustion that this patch was meant to
protect against is not an issue. shmid exhaustion is possible,
but impact of this is low and the invasiveness of the kernel
changes required to port this piece to LSM is so high as to
not justify doing it. In order to port the CONFIG_SECURE_SHM
to LSM, a new hook would have to be added to shm_close and the
symbols shm_destroy(), ipc_lock(), ipc_unlock(), and shm_ids
would have to be exported.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
This archive was generated by hypermail 2b30 : Tue Dec 09 2003 - 11:15:02 PST