lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 27 Jun 2007 10:36:11 -0400 (EDT)
From:	James Morris <jmorris@...ei.org>
To:	"Serge E. Hallyn" <serue@...ibm.com>
cc:	Kyle Moffett <mrmacman_g4@....com>,
	Andreas Gruenbacher <agruen@...e.de>,
	Chris Wright <chrisw@...s-sol.org>,
	linux-security-module@...r.kernel.org,
	Andrew Morgan <agm@...gle.com>,
	Andrew Morton <akpm@...gle.com>,
	Stephen Smalley <sds@...ho.nsa.gov>,
	lkml <linux-kernel@...r.kernel.org>,
	Arjan van de Ven <arjan@...radead.org>,
	Greg KH <greg@...ah.com>, Eric Paris <eparis@...hat.com>
Subject: Re: [PATCH try #2] security: Convert LSM into a static interface

On Wed, 27 Jun 2007, Serge E. Hallyn wrote:

> Quoting Kyle Moffett (mrmacman_g4@....com):
> > This whole discussion boils down to 2 points:
> 
> Yes it can, but not the two you list.
> 
> >   1) As currently implemented, no LSM may be safely rmmod-ed
> 
> That's not the rationale for the patch, it's just some talking point you
> picked up.  The rationale for the patch is to prevent abuse.

This is not correct.  Reducing API abuse is simply a bonus.

The rationale for the patch is to remove unneeded infrastructure which 
complicates security by introducing the idea that the security module can 
be removed at all.

It was in response to your very own posting about the new capabilities 
code which would need to take this into account.


Recall:

On Sun, 24 Jun 2007, Serge E. Hallyn wrote:

> > 2) Allocate capability bit-31 for CAP_SETFCAP, and use it to gate
> > whether the user can set this xattr on a file or not. CAP_SYS_ADMIN is
> > way too overloaded and this functionality is special.
> 
> The functionality is special, but someone with CAP_SYS_ADMIN can always
> unload the capability module and create the security.capability xattr
> using the dummy module.
> 
> If we do add this cap, do we want to make it apply to all security.*
> xattrs?

The underlying issue here is the notion of security mechanisms which are 
built as loadable modules.  It's not useful for any in-tree users, and 
introduces several unnecessary problems which then need to be addressed.

A better approach would be to make LSM a statically linked interface.

This would also allow us to unexport the LSM symbols and reduce the API 
abuse by third-party modules.



- James
-- 
James Morris
<jmorris@...ei.org>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ