Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)

Quoting Valdis.Kletnieks@xxxxxx (Valdis.Kletnieks@xxxxxx):
On Mon, 17 Apr 2006 22:26:24 BST, Alan Cox said:

(Two replies to this paragraph, addressing 2 separate issues....)

You can implement a BSD securelevel model in SELinux as far as I can see
from looking at it, and do it better than the code today, so its not
really a feature drop anyway just a migration away from some fossils

If we heave the LSM stuff overboard, there's one thing that *will* need
addressing - what to do with kernel support of Posix-y capabilities. Currently
some of the heavy lifting is done by security/commoncap.c.

Frankly, that's *another* thing that we need to either *fix* so it works right,
or rip out of the kernel entirely. As far as I know, there's no in-tree way
to make /usr/bin/ping be set-CAP_NET_RAW and have it DTRT.

Sigh... it's such a cool idea, and yet such a dangerously easy thing to
get wrong, ie dropping the ability for a root process to drop it's root
privs.

If we were to drop posix caps, how would selinux change correspondingly?
Would it just drop the capability class altogether, perhaps beef up the
task or security class? Just wondering whether anyone had thought about
this.

Alternatively, we could try yet again to get support for fs caps
upstream...

-serge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/