lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 Jun 2010 10:58:29 -0700 From: Kees Cook <kees.cook@...onical.com> To: Alan Cox <alan@...rguk.ukuu.org.uk> Cc: Randy Dunlap <rdunlap@...otime.net>, James Morris <jmorris@...ei.org>, linux-kernel@...r.kernel.org, Andrew Morton <akpm@...ux-foundation.org>, Jiri Kosina <jkosina@...e.cz>, Dave Young <hidave.darkstar@...il.com>, Martin Schwidefsky <schwidefsky@...ibm.com>, Roland McGrath <roland@...hat.com>, Oleg Nesterov <oleg@...hat.com>, "H. Peter Anvin" <hpa@...or.com>, David Howells <dhowells@...hat.com>, Ingo Molnar <mingo@...e.hu>, Peter Zijlstra <a.p.zijlstra@...llo.nl>, "Eric W. Biederman" <ebiederm@...ssion.com>, linux-doc@...r.kernel.org, Stephen Smalley <sds@...ho.nsa.gov>, Daniel J Walsh <dwalsh@...hat.com>, linux-security-module@...r.kernel.org Subject: Re: [PATCH] ptrace: allow restriction of ptrace scope Hi, On Thu, Jun 17, 2010 at 11:30:54PM +0100, Alan Cox wrote: > - You can give up now. Failure is always an option! :) Nah, I was never deluded into thinking these patches were going to be universally-loved and easy to upstream. I posted them because I want them in, and I'm going to stick with it. > - You can put it together as a security module - which will make people > happy and get your stuff upstream. After that you can have a meaningful > discussion about stacking, although I think you'll find that stacking > is really really hard because you get conflicting behaviour between > security modules and ignoring those conflicts ends up violating at least > one of the security models leaving you worse not better off. > > Your path to making any of the stuff you want happen is via the security > layer and the LSM hooks. Even if you want them stackable and usable with > other modules your starting point is still a security module. Sounds like this really is the only path, with the idea of finding a chaining solution later. Without chaining, it's only useful for people that aren't using a full MAC. -Kees -- Kees Cook Ubuntu Security Team -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists