[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20071028221214.171f7d3a@laptopd505.fenrus.org>
Date: Sun, 28 Oct 2007 22:12:14 -0700
From: Arjan van de Ven <arjan@...radead.org>
To: Crispin Cowan <crispin@...spincowan.com>
Cc: Alan Cox <alan@...rguk.ukuu.org.uk>,
Ray Lee <ray-lk@...rabbit.org>,
Chris Wright <chrisw@...s-sol.org>,
Casey Schaufler <casey@...aufler-ca.com>,
Adrian Bunk <bunk@...nel.org>,
Simon Arlott <simon@...e.lp0.eu>, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org,
Jan Engelhardt <jengelh@...putergmbh.de>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Andreas Gruenbacher <agruen@...e.de>,
Thomas Fricaccia <thomas_fricacci@...oo.com>,
Jeremy Fitzhardinge <jeremy@...p.org>,
James Morris <jmorris@...ei.org>,
Giacomo Catenazzi <cate@...ian.org>
Subject: Re: Linux Security *Module* Framework (Was: LSM conversion to
static interface)
On Sun, 28 Oct 2007 15:08:56 -0700
Crispin Cowan <crispin@...spincowan.com> wrote:
> To reject an LSM for providing "bad" security, IMHO you should have to
> show how it is possible to subvert the self-stated goals of that LSM.
> Complaints that the LSM fails to meet some goal outside of its stated
> purpose is irrelevant. Conjecture that it probably can be violated
> because of $contrivance is just so much FUD.
exactly; this is why I've been pushing recently for each new LSM to at
least document and make explicit what it tries to protect / protect
against (threat model and defense model in traditional security terms).
Without such an explicit description it's both impossible to
"neutrally" review a proposed LSM towards its goals, and it ends up as
a result with people making assumptions and attacking the model because
there's no separation between code and model.
> Exception: it is valid to say that the self-stated goal is too narrow
> to be useful. But IMHO that bar of "too narrow" should be very, very
> low. Defenses against specific modes of attack would be a fine thing
> to build up in the library of LSMs, especially if we got a decent
> stacking module so that they could be composed.
again I agree pretty much; I do want to reserve some minimum "common
sense" bar because people may (and probably will) do silly things withs
LSMs that are really not the right thing to do objectively.
--
If you want to reach me at my work email, use arjan@...ux.intel.com
For development, discussion and tips for power savings,
visit http://www.lesswatts.org
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists