On 10/29/07, Crispin Cowan <crispin@crispincowan.com> wrote:
Agree slows development and experimentation with a idea BAD. I would
more say function and reach of model and how its ment to operate
documented clearly. So next coder along is not taken wild guess. It
must be so clearly documented that almost any system admin could
understand how much or how little protection it is providing.
Experimental until documented out of tree following mine.
.
Drop a stick on both of them. Since they both operate substantially
similar they should be directly prepared to share code with each
other. If one is not prepared to work with the other openly and
fairly out the tree it goes.
It could quite simple become the only thing different between Smack
and Selinux in they way they read configuration files. Long term the
most user friendly and security solid modules win. So long term one
wins short term any number of models. We of course wait for that to
happen. Note it could be agreement between coders. Since they were
force to work as one if there is merit it will come out. There is no
room for empire builders. We need security builders. Part of that
is getting your code examined by the most number of people able.
Same with apparmor vs selinux both can provide file access filtering.
So why two sets of code to do it.
LSM need a really strong maintainer prepared to beat a few ears in.
Or all we will endup with is usable modules. Selinux pain in but to
configure no not really usable. Maybe flaws in Smack so force to use
Selinux. Apparmor too weak.
Basically a stack of trash is the current LSM model. LSM's are fast
turning into x86 vs x86-64 bitrot all over again accept this time 100
times worse. What is basically bitrot caused by not sharing.
Stackable modules maybe. More important shared source code to do
stuff and common standards between LSM used where able. This also
should make it simpler for new models to be added and experimented
with. Since the new model may not need to redo all there hooking
system all over again. Reduced security risk more tested code used in
new models.
Next more important extend security down into applications if
applications need it. File access filtering would be a great feature
at the thread level.
We have enough LSM's to be hard. It a privilege to be in the main
kernel tree not a right. Part of having a module in the Linux kernel
tree is a promise to do what is right for everyones security using the
kernel even if it means the end to your LSM's existence. Part of
doing what is right is sharing of code. All LSM developers should be
looking at there code and asking should this be like posix file caps
and for everyone. Or should this be a LSM only feature because its
useless to everyone else. From what I am seeing LSM maintainers don't
seam to think its part of the requirement to help other LSM's be
better even if theirs ends up losing. Only if you are building a
Empire does it matter who wins or loses the long term of LSM's. Only
thing that truly matter is that we get the best long term.
Peter Dolding
-
