Re: Defense in depth: LSM *modules*, not a static interface

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

To: Peter Dolding <oiaohm@...>

Cc: Crispin Cowan <crispin@...>, Simon Arlott <simon@...>, <linux-kernel@...>, <linux-security-module@...>

Subject: Re: Defense in depth: LSM *modules*, not a static interface

Date: Tuesday, November 6, 2007 - 11:50 pm

As good an idea POSIX capabilities might be, not all security problems 
can be solved with a bitmap of on/off permissions.

Peter Dolding wrote:
quoted text> "AppArmor profile denies all network traffic to a specific
> application"  Ok why should AppArmor be required to do this.  Would it
> not be better as as part of Capabilities that is always there and is
> application controllable.  It would be a security advantage if data
> processing threads that don't do network access inside a application
> don't have it.  Basically this feature could be done in mirror.  Allow
> Network access Capabilities flag.  Not set application cannot access
> network at all.  All LSM's would be able to use that to cut of network
> access to applications.  As a standard feature of kernel if a new
> network stack or some other alteration is done LSM hooks would not
> need altering.  Lot of LSM hooks would disappear.  Need for LSM to
> monitor and run different code to kernel in a lot of places would also
> disappear.
>
> With Capabilities expand it to point that applications cannot do
> anything without permissions.  Both models are do able.  Restrictive
> can be done in a Permissive model effectively if the starting point of
> the Permissive is that you cannot do anything without permissions
> being granted.  Big different is that the Permissive Model is the
> kernel default.  Some LSM are design in conflict with the main model
> of the OS.  You really only want one model from speed point of view

Ok but what happens to the principle of least privilege?

What if we want AppArmor to confine that application to use a particular 
set of ports?

Do you propose having a capability for each port? how about protocols?

So unless my understanding of capabilities is fundamentally flawed 
(which it may be - I have not spent time reviewing recent changes) 
obviously Linux capabilities does not provide a solution to every problem.

Regards,

Cliffe.

--

Z. Cliffe Schreuders
BSc Comp Sci (Hons) & Int Comp
PhD Candidate, Casual Tutor
School of IT
Murdoch University
-
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Re: Linux Security *Module* Framework (Was: LSM conversion t..., Rob Meijer, (Mon Oct 29, 3:04 pm)

Re: Linux Security *Module* Framework (Was: LSM conversion t..., Casey Schaufler, (Mon Oct 29, 4:27 pm)

Re: Linux Security *Module* Framework (Was: LSM conversion t..., Crispin Cowan, (Mon Oct 29, 3:41 pm)

Re: Linux Security *Module* Framework (Was: LSM conversion t..., Peter Dolding, (Tue Oct 30, 1:13 am)

Re: Linux Security *Module* Framework (Was: LSM conversion t..., Jan Engelhardt, (Tue Oct 30, 2:42 pm)

Re: Linux Security *Module* Framework (Was: LSM conversion t..., Peter Dolding, (Tue Oct 30, 7:38 pm)

Re: Linux Security *Module* Framework (Was: LSM conversion t..., , (Tue Oct 30, 8:16 pm)

Re: Linux Security *Module* Framework (Was: LSM conversion t..., Peter Dolding, (Tue Oct 30, 10:21 pm)

Re: Linux Security *Module* Framework (Was: LSM conversion t..., Crispin Cowan, (Wed Oct 31, 2:43 am)

Re: Linux Security *Module* Framework (Was: LSM conversion t..., Toshiharu Harada, (Wed Oct 31, 6:10 am)

Re: Linux Security *Module* Framework (Was: LSM conversion t..., Peter Dolding, (Wed Oct 31, 10:04 pm)

Re: Linux Security *Module* Framework (Was: LSM conversion t..., Casey Schaufler, (Wed Oct 31, 10:20 pm)

Re: Linux Security *Module* Framework (Was: LSM conversion t..., Peter Dolding, (Wed Oct 31, 10:51 pm)

Re: Linux Security *Module* Framework (Was: LSM conversion t..., Andrew Morgan, (Mon Nov 5, 2:56 am)

Re: Linux Security *Module* Framework (Was: LSM conversion t..., Serge E. Hallyn, (Mon Nov 5, 9:29 am)

Re: Linux Security *Module* Framework (Was: LSM conversion t..., Jan Engelhardt, (Thu Nov 1, 3:17 am)

Re: Linux Security *Module* Framework (Was: LSM conversion t..., David Newall, (Thu Nov 1, 7:49 am)

Re: Linux Security *Module* Framework (Was: LSM conversion t..., Peter Dolding, (Sat Nov 3, 9:28 pm)

Re: Linux Security *Module* Framework (Was: LSM conversion t..., Peter Dolding, (Wed Oct 31, 5:03 am)

Re: Linux Security *Module* Framework (Was: LSM conversion t..., , (Wed Oct 31, 1:08 am)

Re: Linux Security *Module* Framework (Was: LSM conversion t..., Casey Schaufler, (Tue Oct 30, 11:43 pm)

Re: Linux Security *Module* Framework (Was: LSM conversion t..., Casey Schaufler, (Tue Oct 30, 3:14 pm)

Re: Linux Security *Module* Framework (Was: LSM conversion t..., Jan Engelhardt, (Tue Oct 30, 3:50 pm)

Defense in depth: LSM *modules*, not a static interface, Cliffe, (Tue Oct 30, 3:14 am)

Re: Defense in depth: LSM *modules*, not a static interface, Simon Arlott, (Tue Oct 30, 8:30 am)

Re: Defense in depth: LSM *modules*, not a static interface, Crispin Cowan, (Mon Nov 5, 11:46 pm)

Re: Defense in depth: LSM *modules*, not a static interface, Cliffe, (Tue Nov 6, 3:26 am)

Re: Defense in depth: LSM *modules*, not a static interface, Peter Dolding, (Tue Nov 6, 7:59 pm)

Re: Defense in depth: LSM *modules*, not a static interface, Cliffe, (Tue Nov 6, 11:50 pm)

Re: Defense in depth: LSM *modules*, not a static interface, Casey Schaufler, (Tue Nov 6, 11:35 pm)

Re: Defense in depth: LSM *modules*, not a static interface, Tetsuo Handa, (Wed Nov 7, 12:11 am)

Re: Defense in depth: LSM *modules*, not a static interface, Casey Schaufler, (Wed Nov 7, 12:34 am)

Re: Defense in depth: LSM *modules*, not a static interface, Peter Dolding, (Wed Nov 7, 12:34 am)

Re: Defense in depth: LSM *modules*, not a static interface, Al Viro, (Tue Oct 30, 2:55 am)

Re: Defense in depth: LSM *modules*, not a static interface, Crispin Cowan, (Tue Oct 30, 3:55 am)

Re: Defense in depth: LSM *modules*, not a static interface, Casey Schaufler, (Tue Oct 30, 11:01 am)

Re: Defense in depth: LSM *modules*, not a static interface, Cliffe, (Tue Oct 30, 4:00 am)


linux-kernel:
Linus Torvalds	Linux 2.6.27-rc5
Greg Kroah-Hartman	[PATCH 007/196] Chinese: add translation of stable_kernel_rules.txt
Kamalesh Babulal	[Build Failure] 2.6.25-rc5-mm1 Build fails with allmodconfig probe_4drives undefined
Gabriel C	Re: Linus 2.6.23-rc1
openbsd-misc:

linux-netdev:
David Woodhouse	Re: [bug?] tg3: Failed to load firmware "tigon/tg3_tso.bin"
David Miller	Re: [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
David Miller	[GIT]: Networking
Gerrit Renker	[PATCH 0/37] dccp: Feature negotiation - last call for comments
git:

Re: Defense in depth: LSM modules, not a static interface

Online users