[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <538323.91702.qm@web36614.mail.mud.yahoo.com>
Date: Tue, 6 Nov 2007 20:34:45 -0800 (PST)
From: Casey Schaufler <casey@...aufler-ca.com>
To: Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
casey@...aufler-ca.com
Cc: crispin@...spincowan.com, simon@...e.lp0.eu,
linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org, cliffe@...net,
oiaohm@...il.com
Subject: Re: Defense in depth: LSM *modules*, not a static interface
--- Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp> wrote:
> Hello.
>
> Casey Schaufler wrote:
> > Fine grained capabilities are a bonus, and there are lots of
> > people who think that it would be really nifty if there were a
> > separate capability for each "if" in the kernel. I personally
> > don't see need for more than about 20. That is a matter of taste.
> > DG/UX ended up with 330 and I say that's too many.
>
> TOMOYO Linux has own (non-POSIX) capability that can support 65536
> capabilities
> if there *were* a separate capability for each "if" in the kernel.
>
http://svn.sourceforge.jp/cgi-bin/viewcvs.cgi/trunk/2.1.x/tomoyo-lsm/patches/tomoyo-capability.diff?root=tomoyo&view=markup
>
> The reason I don't use POSIX capability is that the maximum types are limited
> to
> bitwidth of a variable (i.e. currently 32, or are we going to extend it to
> 64).
> This leads to abuse of CAP_SYS_ADMIN capability.
That is a matter of taste.
> In other words, it makes fine-grained privilege division impossible.
I personally believe that a finer granularity than about 20
is too fine. I understand that this is a minority opinion.
Casey Schaufler
casey@...aufler-ca.com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists