Re: Updated BSD Secure Levels Patch

From: Petr Baudis (pasky@private)
Date: Sat Jan 10 2004 - 08:31:37 PST

Next message: Chris Wright: "Docu for sb_kern_mount hook"

Previous message: Serue Hallyen: "Updated BSD Jail LSM patch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear diary, on Wed, Dec 03, 2003 at 10:47:08PM CET, I got a letter,
where Michael Halcrow <mahalcro@private> told me, that...
> This patches security/Makefile and security/Kconfig and creates
> security/seclvl.c.  Previous patches that Serge sent to this list
> address the settime hooks.
> 
> Changelog:
>    12/02/2003  Updated by Michael A. Halcrow:
>      1. Removed seclvl from /proc filesystem.
>      2. Generated seclvl directory, with seclvl and passwd
>              attributes, in the sysfs filesystem.
>      3. Implemented password-based secure level reduction.  The
>              password may be passed in either as plain text via the
>              plaintextPassword module parameter, or in its
>              hexadecimal SHA1 form via the sha1Password module
>              parameter.  Note that you can generate the SHA1
>              representation of a password with the sha1sum utility:
>              echo -n "secret" | sha1sum
>      4. Implemented rate-limiting of kernel messages to the log.
> 
> Notice that, when you compile the module into the kernel, the initial
> secure level is set to 0, as opposed to when you compile the module
> as a stand-alone, in which case the initial secure level is set to 1.
> Most distributions out there want to be able to load modules and the
> sort while booting.

Maybe you would be interested in one rather old patch available at
http://pasky.ji.cz/~pasky/dev/kernel/security_levels.patch, basically
setting up the common 'security' subsystem for all LSMs to use. Despite
its age I think it should still apply cleanly (mainly because it is
really trivial). It was already reviewed by few people, but it got stuck
on my lack of time to convert any existing LSM module to it, but if you
used it, it could probably go to the kernel along it ;-).

In fact, one LSM module used the sysfs infrastructure already (through
the patch above) - http://pasky.or.cz/securitylevels/. I thought the
idea was quite neat, but there was a complete lack of interest in this
so I dismissed it for now. (I doubt you are interested in that at all,
but just in case you would care, what do you think about it?)

Kind regards,

-- 
 
				Petr "Pasky" Baudis
.
If a train station is where the train stops, what is a work station? --mj
.
Stuff: http://pasky.or.cz/

Next message: Chris Wright: "Docu for sb_kern_mount hook"
Previous message: Serue Hallyen: "Updated BSD Jail LSM patch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jan 10 2004 - 08:33:04 PST