| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 9 Sep 2013 23:02:05 +0000 From: Matthew Garrett <matthew.garrett@...ula.com> To: David Lang <david@...g.hm> CC: "Valdis.Kletnieks@...edu" <Valdis.Kletnieks@...edu>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "keescook@...omium.org" <keescook@...omium.org>, "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>, "hpa@...or.com" <hpa@...or.com>, "linux-efi@...r.kernel.org" <linux-efi@...r.kernel.org>, "jmorris@...ei.org" <jmorris@...ei.org>, "linux-security-module@...r.kernel.org" <linux-security-module@...r.kernel.org> Subject: Re: [PATCH 00/12] One more attempt at useful kernel lockdown On Mon, 2013-09-09 at 11:25 -0700, David Lang wrote: > 1 lock down modules > 2 lock down kexec Having thought about this, the answer is no. It presents exactly the same problem as capabilities do - the set can never be meaningfully extended. If an application sets only the bits it knows about, and if a new security-sensitive feature is added to the kernel, the feature will be left enabled and the system will be insecure. Alternatively, if an application sets all the bits regardless of whether it knows them or not, it may enable a lockdown feature that it otherwise required. The only way this is useful is if all the bits are semantically equivalent, and in that case there's no point in having anything other than a single bit. Users who want a more fine-grained interface should use one of the existing mechanisms for doing so - leave the kernel open and impose the security policy from userspace using either capabilities or selinux. -- Matthew Garrett <matthew.garrett@...ula.com>
Powered by blists - more mailing lists