lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.LRH.2.02.1301081942030.24212@tundra.namei.org>
Date:	Tue, 8 Jan 2013 20:12:48 +1100 (EST)
From:	James Morris <jmorris@...ei.org>
To:	Casey Schaufler <casey@...aufler-ca.com>
cc:	Stephen Rothwell <sfr@...b.auug.org.au>,
	LSM <linux-security-module@...r.kernel.org>,
	LKLM <linux-kernel@...r.kernel.org>,
	SE Linux <selinux@...ho.nsa.gov>,
	John Johansen <john.johansen@...onical.com>,
	Eric Paris <eparis@...hat.com>,
	Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
	Kees Cook <keescook@...omium.org>,
	Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs

On Mon, 7 Jan 2013, Casey Schaufler wrote:

> There has been an amazing amount of development in system security
> over the past three years. Almost none of it has been in the kernel.
> One important reason that it is not getting done in the kernel is
> that the current single LSM restriction requires an all or nothing
> approach to security. Either you address all your needs with a single
> LSM or you have to go with a user space solution, in which case you
> may as well do everything in user space.

This sounds like a very spurious argument.  If the development is better 
done in userspace, then do it there.

There's no way to address all your security needs with an LSM in any case, 
for any practical system.  LSM is an API for making security decisions 
about kernel flow, usually as part of implementing access control 
mechanisms.  It is not meant to provide any kind of total security 
solution, and the argument that you can't do some security in userspace is 
totally illogical.

Development should be done in userspace unless it must be done in the 
kernel.

> Multiple concurrent LSMs allows a system to be developed incrementally
> and to combine a variety of approaches that meet new and interesting
> needs. It allows for systems that are based on an LSM that does not
> meet all of the requirements but that can be supplemented by another
> LSM that fills the gaps. It allows an LSM like Smack that implements
> label based access controls to remain true to its purpose even in the
> face of pressure to add controls based on other mechanisms.
> 
> I have had requests for running Smack and AppArmor together Tetsuo has
> long had need to put SELinux and TOMOYO on the same box. Yama was
> recently special cased for stackability.

I'd say we need to see the actual use-case for Smack and Apparmor being 
used together, along with at least one major distro committing to support 
this.

Yama is special-cased and can stay that way.

SELinux and Tomoyo together makes no sense to me, and similarly, I would 
like to see the specific use-case for it and distro commitment to support 
it.

> We are looking at security from different directions than ever before.
> What good is a UID on a cell phone? I hear complaints about Android's
> "abuse" of the UID. 

What is the UID issue and how does LSM stacking address it?

> With the option of independent groups creating smallish LSMs and 
> integrating them by stacking we have the ability to make the security 
> systems modern devices require using a architecturally clean model 
> rather than hijacking existing mechanisms that work a little bit like 
> what you want to do.

This is speculative.

> 
> I used to believe in a single, integrated security module that addressed
> all the issues. Now that Linux is supporting everything from real time
> tire pressure gauges in tricycles to the global no-fly list that just
> doesn't seem reasonable. We need better turn around on supplemental 
> mechanisms. That means collections of smaller, simpler LSMs instead of
> monoliths that only a few select individuals or organizations have any
> hope of configuring properly.

If you're trying to say that only a few select individuals or orgs can 
configure things like SELinux and AppArmor properly, you're wrong, and the 
evidence for that is overwhelming.

Also, are you saying that security mechanisms are inherently easier to 
configure if they're composed from a variety of distinct modules vs. a 
monolithic scheme? 



-- 
James Morris
<jmorris@...ei.org>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ