Re: Clarifications of LSM API

From: Serge E. Hallyn (hallyn@private)
Date: Fri Jul 02 2004 - 13:43:32 PDT

  • Next message: Valdis.Kletnieks@private: "Re: Clarifications of LSM API"

    > Which begs the question: does it *ever* make sense to use multiple 
    > modules that use blobs? Off had, I say "no":
    > 
    >    * All the blob-using modules I know of are some kind of MAC system
    >      that is attaching state to a a process, and it never makes sense
    >      to compose these systems.
    >    * All the instances of multiple module composition that I do know of
    >      amount to one MAC system and one or more pathology blockers like
    >      TPE or OWLSM, plus the special case of POSIX Capabilities.
    > 
    > Anyone have a counter-example where they actually want to compose two 
    > blob-using modules?
    
    1. While bsdjail is not a "pathology blocker", it's not a generic MAC
    system like selinux/lids/dte either.  It needs several of the blobs.  I
    think using bsdjail along with selinux is very reasonable.
    
    2. Digsig at the moment needs it in order to mark inodes which are
    being mmaped(EXEC) so as to refuse open(write).  If deny_write_access()
    were EXPORTed, it might not need any blobs.
    
    3. As Valdis points out, dirjail uses them.  Though I'm surprised anyone
    remembers dirjail  :)
    
    Of course, in the end, we can always jump to keeping our own records,
    ie bsdjail could keep a <pid> -> jail hash table  :)
    
    I do hope to do some benchmarks of built-in support and the cooperative
    (blob-chaining) approach over the next month.
    



    This archive was generated by hypermail 2b30 : Fri Jul 02 2004 - 13:44:05 PDT