| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <10965.80.126.27.205.1193684677.squirrel@webmail.xs4all.nl>
Date: Mon, 29 Oct 2007 20:04:37 +0100 (CET)
From: "Rob Meijer" <capibara@...all.nl>
To: "Crispin Cowan" <crispin@...spincowan.com>
Cc: rmeijer@...all.nl, casey@...aufler-ca.com,
"Chris Wright" <chrisw@...s-sol.org>,
"Adrian Bunk" <bunk@...nel.org>,
"Simon Arlott" <simon@...e.lp0.eu>, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org,
"Jan Engelhardt" <jengelh@...putergmbh.de>,
"Linus Torvalds" <torvalds@...ux-foundation.org>,
"Andreas Gruenbacher" <agruen@...e.de>,
"Thomas Fricaccia" <thomas_fricacci@...oo.com>,
"Jeremy Fitzhardinge" <jeremy@...p.org>,
"James Morris" <jmorris@...ei.org>,
"Giacomo Catenazzi" <cate@...ian.org>,
"Alan Cox" <alan@...rguk.ukuu.org.uk>
Subject: Re: Linux Security *Module* Framework (Was: LSM conversion to
static interface)
On Mon, October 29, 2007 11:24, Crispin Cowan wrote:
>> Thus IMHO it may be a good idea to instead of a maintainer for LSM
>> modules as proposed, alternatively a maintainer for each formal model
>> may be more appropriate. This also would require module builders to
>> first
>> think about what formal model they are actualy using, thus resulting in
>> cleaner module design.
>>
> I *really* dislike this idea. It seems to set up the situation that the
> only acceptable modules are those that follow some "formal" model.
> Problems:
>
> * What qualifies as a formal model? This becomes an arbitrary litmus
> test, depending on whether the model was originally published in a
> sufficiently snooty forum.
> * What if someone invents a new model that has not been "formalized"
> yet? Should Linux be forced to wait until the idea has been
> through the academic mill before we allow someone to try
> implementing a module for the idea?
I may have been stating things a bit to strong when talking only about
"formal" models only. But possibly you could just define the non-formal
experimental models as a single group.
The thing I was trying to propose was aimed at the problem that if someone
proposes a patch to the LSM base code that he/she feels is needed to
complete an LSM module that implements a particular (formal) model,
he/she would end up explaining and/or defending both the 'model', the module
and its requirement for the patch.
What I tried to propose is to assign some sort of maintainer role for each
(formal) model, and let these roles take care of the module/patch part of
stuff, while the module writer would only need to defend/discuss the the
patch with the model maintainer.
> * The proposal only allows a single implementation of each formal
> model. In theory, theory is just like practice, but in practice it
> is not. SMACK and SELinux follow substantially similar formal
> models (not exactly the same) so should we exclude one and keep
> the other? No, of course not, because in practice they are very
> different.
I would think the two may benefit from a role as described above.
But I was thinking more in the line of new modules that may again
implement this same model, and would thus benefit from interaction with
this 'model maintainer' role.
Rob
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists