| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20070627134149.GB2679@sergelap> Date: Wed, 27 Jun 2007 08:41:49 -0500 From: "Serge E. Hallyn" <serue@...ibm.com> To: Kyle Moffett <mrmacman_g4@....com> Cc: "Serge E. Hallyn" <serue@...ibm.com>, Andreas Gruenbacher <agruen@...e.de>, James Morris <jmorris@...ei.org>, Chris Wright <chrisw@...s-sol.org>, linux-security-module@...r.kernel.org, Andrew Morgan <agm@...gle.com>, Andrew Morton <akpm@...gle.com>, Stephen Smalley <sds@...ho.nsa.gov>, lkml <linux-kernel@...r.kernel.org>, Arjan van de Ven <arjan@...radead.org>, Greg KH <greg@...ah.com>, Eric Paris <eparis@...hat.com> Subject: Re: [PATCH try #2] security: Convert LSM into a static interface Quoting Kyle Moffett (mrmacman_g4@....com): > This whole discussion boils down to 2 points: Yes it can, but not the two you list. > 1) As currently implemented, no LSM may be safely rmmod-ed That's not the rationale for the patch, it's just some talking point you picked up. The rationale for the patch is to prevent abuse. So point 1 is 1) Is the LSM infrastructure being abused, and how detrimental is that abuse As has come up, the abuse comes in two forms, and people seem to want to blur the two forms to make it seem especially relevant and heinous... > 2) Someone has submitted a patch which fixes that problem (you > can't rmmod them at all, so no crashes) 2) Is the loss of flexibility in the LSM framework a worthwhile tradoff against the abuse prevention. Clearly I and a very few others feel no, and a very vocal set (which sure sounds like a majority) says yes. Now quit trying to give technical justifications for something which is technical only insofar as it is a technical roadblock to prevent a legal problem. > If you really want to do modular LSMs, then you need to submit a > patch which fixes all the race conditions in LSM removal *without* LSM is an infrastructure. It's up to the modules to provide that, and it can be done. DTE used to do it. Dirjail used to do it. Capability does it. And since LSM won't be modular anymore it doesn't matter. > adding much extra overhead. I'm sure if your solutions works then > everyone will be much more open to modular LSMs. I said this before: Another blatant lie, not unlike "come to the table to upstream your LSM, and we'll help you, honest." (The funny thing about that is, I actually like SELinux, more than the alternatives in general. I just can't stand the attitudes voice by much of its camp.) -serge PS - should we rename 'LSM' to 'LSI' - linux security infrastructure? Calling it LSM now is kind of moronic. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists