Re: LSM conversion to static interface

On Thursday 18 October 2007 04:18, Linus Torvalds wrote:

quoted text

> On Wed, 17 Oct 2007, Thomas Fricaccia wrote: > > > > But then I noticed that, while the LSM would remain in existence, it was > > being closed to out-of-tree security frameworks. Yikes! Since then, > > I've been following the rush to put SMACK, TOMOYO and AppArmor > > "in-tree". > > Yeah, it did come up. Andrew, when he sent it on to me, said that the SuSE > people were ok with it (AppArmor), but I'm with you - I applied it, but > I'm also perfectly willing to unapply it if there actually are valid > out-of-tree users that people push for not merging.

The patch doesn't hurt AppArmor, but it's still a step in the wrong direction. Quoting from commit 20510f2f (Convert LSM into a static interface):

quoted text

> In a nutshell, there is no safe way to unload an LSM. The modular interface > is thus unecessary and broken infrastructure. It is used only by > out-of-tree modules, which are often binary-only, illegal, abusive of the > API and dangerous, e.g. silently re-vectoring SELinux.

This is idiotic. Just because there is no safe way to unload SELinux - doesn't mean there is no safe way to unload other LSMs: if nothing but that, unloading is handy during development. - doesn't mean that module *loading* is unsafe. The patch removes module loading as well, which hurts more than removing module unloading. LSM can be abused ... so what, this doesn't mean the interface is bad. Non-LSM loadable modules have been known to do lots of bad things, and yet nobody made them non-loadable either (yet).

quoted text

> [...] > For example, I do kind of see the point that a "real" security model might > want to be compiled-in, and not something you override from a module.

Non-trivial modules (i.e., practically everything beyond capabilities) become effective only after loading policy, anyway. If you can load policy, you can as well first load a security module without making the system insecure. Thanks, Andreas -

unsubscribe notice

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/


linux-kernel:
Linus Torvalds	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Tony Lindgren	[PATCH 37/90] ARM: OMAP: MPUIO wake updates
Greg KH	[GIT PATCH] driver core patches against 2.6.24
Miklos Szeredi	-rt doesn't compile for UML
git:
Florian Weimer	Re: Handling large files with GIT
Dana How	[PATCH] Prevent megablobs from gunking up git packs
Denis Bueno	Recovering from repository corruption
Peter Stahlir	Git as a filesystem
openbsd-misc:
Richard Stallman	Real men don't attack straw men
Brian A. Seklecki	sshd_config(5) PermitRootLogin yes
Theo de Raadt	Re: dmesg IBM x3650 OpenBSD 4.3
Stuart Henderson	Re: Actual BIND error - Patching OpenBSD 4.3 named ?
linux-netdev:
Auke Kok	[PATCH 5/6] e1000: Secondary unicast address support
Jon Nelson	tg3: strange errors and non-working-ness
Indan Zupancic	Re: Realtek 8111C transmit timed out
Brandeburg, Jesse	RE: 2.6.24 BUG: soft lockup - CPU#X


Shared swap partition	4 minutes ago	Linux general
usb mic not detected	4 hours ago	Applications and Utilities
Problem in Inserting a module	5 hours ago	Linux kernel
Treason Uncloaked	10 hours ago	Linux kernel
high memory	2 days ago	Linux kernel
semaphore access speed	2 days ago	Applications and Utilities
the kernel how to power off the machine	2 days ago	Linux kernel
Easter Eggs in windows XP	2 days ago	Windows
Root password	3 days ago	Linux general
Where/when DNOTIFY is used?	3 days ago	Linux kernel

Re: LSM conversion to static interface

Online users