| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 28 Dec 2007 23:32:09 +0900 From: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp> To: serue@...ibm.com Cc: linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: TOMOYO Linux Security Goal Hello. Serge E. Hallyn wrote: > Auto-learning in itself doesn't seem novel, but so you're saying it's > novel in ust how integrated it is - no mnual intervention necessary? You can run your system with only policy collected by learning mode. Thus, you basically don't need manual intervention. But since there are randomly named files (i.e. temporary files), you pay a little time to modify policy. The learning mode is to save time for permitting commonly accessed resources. Administrator reviews policy collected by learning mode. Thus the readability of policy is important so that administrator can understand what he/she is going to allow or reject. > Does grsec's learning mode come closer to yours? (I've never used > grsec, just got the impression it did a lot of auto-learning stuff) I looked at a glance. As far as I saw, it is not real-time policy generation. It generates policy from logs like SELinux's audit2allow or AppArmor's aa-genprof . Thus, I think grsec doesn't add domains in real-time like TOMOYO. (I never used grsec too.) It seems to me that grsec is designed for as fine grained access control as SELinux's, while AppArmor and TOMOYO is designed for usability. AppArmor's final implementation might come closer to grsec. > > * namespace manipulation. (i.e. mount()/umount()/pivot_root()) > > do you track mounts namespace cloning? > Yes. TOMOYO can recognize mount operation with the following flags. --bind --move --remount --make-unbindable --make-private --make-slave --make-shared Although pathname based access control is not good at handling complicated mount operations like http://lwn.net/Articles/159077/ , many systems don't require such complicated ones. Speak of bind mounts, there comes vfsmount problem. AppArmor has been proposing patches to pass "struct vfsmount" parameter to VFS helper functions and LSM hooks so that AppArmor/TOMOYO can determine which pathname was requested in the bind-mounted environment. Without the vfsmount patches, we can't calculate pathname without the risk of AB-BA deadlock (if namespace_sem held) or crash (if namespace_sem not held). I think we should start discussing how the vfsmount patches can be merged. I'm sad to see no response for AppArmor's posting at http://lkml.org/lkml/2007/12/20/182 . > Well I don't see how you could without a new lsm hook :) But it seems > like something you'd need to really support this claim. Any plans of > it? I'm ready to submit patches for 2.6.24-rc6-mm1, but it seems to me that many developers are offline. So, I'll submit patches when they come back to online. Regards. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists