> On Wed, 27 Oct 2004, James Morris wrote: > > > And composing more than a very small number of LSMs could be unsafe in > > any case, so a small static array should be enough. > > Actually, I think security composition is such a difficult problem[1] that > we should not provide support for it via LSM. The LSMs can themselves > implement and compose security models if needed, e.g. SELinux already does > this with TE/RBAC/MLS and self-stacks the capabilities code for > application compatibility (the latter could be done via a library and does > not need to be stacked). LSM hooks can also be used for performance measurements, to aid an audit subsystem, etc. And with LSM's like bsdjail and securelevel, stacking with SELinux is still useful even though all are purely security modules. > I don't think arbitary composition of security models is a service that > the Linux kernel should provide. Here we fundamentally disagree. Something which can be unsafe for some if improperly used, but useful for others, should not therefore be disabled. Following that logic, we could argue that for many people SELinux is unsafe because it is far too complicated and hard to set up at the moment, and should therefore not be distributed with the kernel. -serge
This archive was generated by hypermail 2.1.3 : Wed Oct 27 2004 - 08:21:08 PDT