Re: Defense in depth: LSM *modules*, not a static interface

Al Viro wrote:

quoted text

> On Tue, Oct 30, 2007 at 03:14:33PM +0800, Cliffe wrote: > >> Defense in depth has long been recognised as an important secure design >> principle. Security is best achieved using a layered approach. >> > "Layered approach" is not a magic incantation to excuse any bit of snake > oil. Homeopathic remedies might not harm (pure water is pure water), > but that's not an excuse for quackery. And frankly, most of the > "security improvement" crowd sound exactly like woo-peddlers. >

Frank's point was that the static interface makes layering somewhere between impractical and impossible. The static interface change should be dumped so that layering is at least possible. Whether any given security module is worth while is a separate issue. I.e. that there are bad medicines around is a poor excuse to ban syringes and demand that everyone be born with a strong immune system. Why is it that security flame wars always end up reasoning with absurd analogies? :-) Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin CEO, Mercenary Linux http://mercenarylinux.com/ Itanium. Vista. GPLv3. Complexity at work -

unsubscribe notice

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/


linux-kernel:
Greg Kroah-Hartman	[PATCH 004/196] Chinese: add translation of SubmittingPatches
Andi Kleen	Re: [patch] Add basic sanity checks to the syscall execution patch
Bart Van Assche	Integration of SCST in the mainstream Linux kernel
Stoyan Gaydarov	From 2.4 to 2.6 to 2.7?
git:
Elijah Newren	Trying to use git-filter-branch to compress history by removing large, obsolete bi...
Matthieu Moy	git push to a non-bare repository
Johannes Schindelin	Re: Git as a filesystem
Jakub Narebski	Re: VCS comparison table
openbsd-misc:
Richard Stallman	Real men don't attack straw men
Joachim Schipper	Re: OpenBSD/alpha Status
Theo de Raadt	Re: hardware needed for network stack performance work
Marcus Andree	Re: Cyrus IMAP performance problems [Long]
linux-netdev:
Andrew Morton	Re: [Bugme-new] [Bug 10473] New: Infinite loop "b44: eth0: powering down PHY"
John Rigby	[PATCH] [Rev2] MPC5121 FEC support
Pekka Enberg	Re: [rfc][patch 1/3] slub: fix small HWCACHE_ALIGN alignment
Ilpo Järvinen	[PATCH] [TCP]: Separate lost_retrans loop into own function


How to exec user process in kernel mode.	26 minutes ago	Linux kernel
[IPSEC]IPSEC_MANUAL_REQID_MAX	3 days ago	Linux kernel
help in UDP catching module..	3 days ago	Linux kernel
Is there anything like Real-time drivers?	5 days ago	Linux general
ns16550 serail console in Linux 2.6.19	5 days ago	Linux general
what class should i use to register my devices	5 days ago	Linux kernel
reset bios pasword toshiba	6 days ago	Hardware
Analysis of Process Scheduling	1 week ago	Linux kernel
RT Kernel and SSH Server Panics	1 week ago	Linux kernel
Resetting the bios password for Toshiba Laptop	1 week ago	Hardware

Re: Defense in depth: LSM modules, not a static interface

Online users