Crispin Cowan wrote:... Security can (and should) be implemented in a layered approach. Not allowing stacking means that, rather than creating modules which complement each other, certain layers need to be migrated into the mainline kernel code. This would be ok if every situation had the same security requirements; however, they do not. For example small LSMs that provide hooks for Malware scanners (like dazuko), certain security improvements (such as RaceGuard, PaX ...) and POSIX capabilities could be stacked with other larger lsms (traditional access control, IDS, firewalls) rather than copying these techniques into all the large lsms (such as SELinux and AppArmor) or putting them into the mainline kernel. Obviously it would be easier to maintain one capability lsm which stacks, than capabilities being implemented in every access control lsm. It may be possible to compile stacked LSMs together (I don't know), but modules provide greater flexibility and either way stacking should be pursued. I agree with Crispin, restore modules. Then discussions of suitable ways of providing stacking can occur / continue. Cliffe wrote: Just to clarify, I was agreeing with Al that layers for the sake of layers does not improve security if the layers are flawed. I was not implying that the specific LSMs that are being proposed currently (AppArmor etc) are flawed. I personally think that AppArmor provides security improvements which are particularly suitable in some situations. However, if you do have defense in depth then a flaw in one layer may be compensated by another layer. For example if you have a system wide firewall that does not allow any incoming traffic to enter a system, and an AppArmor profile denies all network traffic to a specific application, then a flaw in the firewall which would ordinarily result in a compromise of the systems policy would not cause that specific application to be exposed. Granted this may be a poor example, but it does illustrate that layers provide security improvements. Of course this kind of setup does provide management and usability challenges but that is an area for improvement. Anyway I hope that my opinion is helpful, Cliffe. -- Z. Cliffe Schreuders BSc Comp Sci (Hons) & Int Comp PhD Candidate, Casual Tutor School of IT Murdoch University -
| Stephane Jourdois | Re: 2.6.21-rc4-mm1 [PATCH] init/missing_syscalls.h fix |
| David Brown | Re: Linux 2.6.21-rc2 |
| Andi Kleen | [PATCH] [1/12] x86: Work around mmio config space quirk on AMD Fam10h |
| david | Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3 |
| David Miller | Re: [GIT]: Networking |
| David Woodhouse | Re: [bug?] tg3: Failed to load firmware "tigon/tg3_tso.bin" |
| Gerrit Renker | [PATCH 15/37] dccp: Set per-connection CCIDs via socket options |
| Jarek Poplawski | [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock(). |
git: | |
