| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <201001032112.17975.paul.moore@hp.com> Date: Sun, 3 Jan 2010 21:12:17 -0500 From: Paul Moore <paul.moore@...com> To: "Eric W. Biederman" <ebiederm@...ssion.com> Cc: Casey Schaufler <casey@...aufler-ca.com>, Michael Stone <michael@...top.org>, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, Andi Kleen <andi@...stfloor.org>, David Lang <david@...g.hm>, Oliver Hartkopp <socketcan@...tkopp.net>, Alan Cox <alan@...rguk.ukuu.org.uk>, Herbert Xu <herbert@...dor.apana.org.au>, Valdis Kletnieks <Valdis.Kletnieks@...edu>, Bryan Donlan <bdonlan@...il.com>, Evgeniy Polyakov <zbr@...emap.net>, "C. Scott Ananian" <cscott@...ott.net>, James Morris <jmorris@...ei.org>, Bernie Innocenti <bernie@...ewiz.org>, Mark Seaborn <mrs@...hic-beasts.com>, Randy Dunlap <randy.dunlap@...cle.com>, Américo Wang <xiyou.wangcong@...il.com> Subject: Re: A basic question about the security_* hooks On Thursday 24 December 2009 07:53:35 am Eric W. Biederman wrote: > Casey Schaufler <casey@...aufler-ca.com> writes: > > I'm behind you 100%. Use the LSM. Your module is exactly why we have > > the blessed thing. Once we get a collection of otherwise unrelated > > LSMs the need for a stacker will be sufficiently evident that we'll > > be able to get one done properly. > > My immediate impression is that the big limitation today is the > sharing of the void * security data members of strucutres. > > Otherwise multiple security modules could be as simple as. > list_for_each(mod) > if (mod->op(...) != 0) > return -EPERM. > > It isn't hard to multiplex a single data field into several with a > nice little abstraction. Just another quick point that I didn't see covered yet in this thread ... while many of the kernel entities have void pointers to track the security blobs, there are several places where a single u32/int or character string is used to represent the security label of an entity (look at the per-packet labeling for an example). While it would be relatively easy to multiple multiple security blobs on top of a void pointer, multiplexing multiple security labels/tokens on top of a string/int is a little more difficult. -- paul moore linux @ hp -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists