Re: LSM conversion to static interface
- From: Andreas Gruenbacher <agruen@xxxxxxx>
- Date: Fri, 19 Oct 2007 22:26:53 +0200
On Thursday 18 October 2007 04:18, Linus Torvalds wrote:
On Wed, 17 Oct 2007, Thomas Fricaccia wrote:
But then I noticed that, while the LSM would remain in existence, it was
being closed to out-of-tree security frameworks. Yikes! Since then,
I've been following the rush to put SMACK, TOMOYO and AppArmor
"in-tree".
Yeah, it did come up. Andrew, when he sent it on to me, said that the SuSE
people were ok with it (AppArmor), but I'm with you - I applied it, but
I'm also perfectly willing to unapply it if there actually are valid
out-of-tree users that people push for not merging.
The patch doesn't hurt AppArmor, but it's still a step in the wrong direction.
Quoting from commit 20510f2f (Convert LSM into a static interface):
In a nutshell, there is no safe way to unload an LSM. The modular interface
is thus unecessary and broken infrastructure. It is used only by
out-of-tree modules, which are often binary-only, illegal, abusive of the
API and dangerous, e.g. silently re-vectoring SELinux.
This is idiotic. Just because there is no safe way to unload SELinux
- doesn't mean there is no safe way to unload other LSMs: if nothing
but that, unloading is handy during development.
- doesn't mean that module *loading* is unsafe. The patch removes module
loading as well, which hurts more than removing module unloading.
LSM can be abused ... so what, this doesn't mean the interface is bad. Non-LSM
loadable modules have been known to do lots of bad things, and yet nobody
made them non-loadable either (yet).
[...]
For example, I do kind of see the point that a "real" security model might
want to be compiled-in, and not something you override from a module.
Non-trivial modules (i.e., practically everything beyond capabilities) become
effective only after loading policy, anyway. If you can load policy, you can
as well first load a security module without making the system insecure.
Thanks,
Andreas
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
- Follow-Ups:
- Re: LSM conversion to static interface
- From: James Morris
- Re: LSM conversion to static interface
- From: Linus Torvalds
- Re: LSM conversion to static interface
- References:
- Re: LSM conversion to static interface
- From: Linus Torvalds
- Re: LSM conversion to static interface
- Prev by Date: [PATCH] dz.c: Don't panic() when request_irq() fails
- Next by Date: "CIFS VFS: server not responding" with some client/server combinations
- Previous by thread: Re: LSM conversion to static interface
- Next by thread: Re: LSM conversion to static interface
- Index(es):
Relevant Pages
|
