Re: LSM Stacker

From: tvrtko.ursulin@private
Date: Wed Jan 05 2005 - 00:32:07 PST

On 05/01/2005 01:25:29 Chris Wright wrote:

>> I agree with David's point of treating writes (add/remove from chain) 
>> extremely rare. But I do not like the "leave module loaded" idea. In 
>> production environment, there must be a mechanism which enables 
>> critical OS parts without a reboot. LSM per se does not offer that, so 
>> "stacker" module should remedy that.
>That's not the case.  If the critical OS part is modular, and it can be
>put into a state where it's not being used, then it's possible to unload
>the module, and insert an update (assuming it's been compiled against the
>correct base, etc).  So, we'll do nothing special to support live updates
>other than what module's bring already.  Also, consider there could be
>ugly/negative security side-effects of unloading and reloading a security
>module while the system is running (depends on how the module is coded).
>SELinux, for example, chose the simpler approach of not allowing it to
>be built modular.

If we assume that the different modules handle different areas of 
security, then we can eliminate the ugly/negative side-effects.

But in it's current form LSM is really not suitable for live updates. It 
is if only one module is loaded, but what do you do if you want to update 
a module which has another one piggy-backed onto it (one you don't have 
control over)? I don't see that you can do it, and that is a real 
show-stopper. Yes you could try to unload the one that is stacked onto 
you, but that would be just awful.

Having each module responsible to implement (or not) stacking has it's 
advantages, but I really think that we need a proper stacking (or better 
said chaining) manager. Of course it should be optional in order not to 
penalise performance for everybody. But we really do need it.

>> But the fact that LSM hooks might not be allowed to sleep is still a
>> showstopper. In it's current state, LSM hooks do not provide sufficient
>> functionality to implement some of the task required for a production
>> environment.
>This last statement requires a leap of faith, as I don't see what
>substantiates such a claim.  Many sites use LSM in production already...

It was written under the impression that hooks are really not allowed to 
sleep. As that is not the case it is not longer a valid 'complaint'. 
However, it would still be nice to have that aspect documented somewhere. 
Not knowing which hooks are not allowed to sleep and is that always, or in 
a special case, is a little strange from an interface user point of view. 
If I had the knowledge I could help write that, but I don't.

So Serge is working on a stacking solution already. Will his work, or 
something based on it, be accepted into the mainline in the near future?

Tvrtko August Ursulin
Software Engineer, Sophos

Tel: 01235 559933
Sophos - protecting businesses against viruses and spam

This archive was generated by hypermail 2.1.3 : Wed Jan 05 2005 - 00:33:05 PST