From: "Serge E. Hallyn" <serue@us.ibm.com>
To: James Morris <jmorris@namei.org>
Cc: "Serge E. Hallyn" <serue@us.ibm.com>,
Kyle Moffett <mrmacman_g4@mac.com>,
Andreas Gruenbacher <agruen@suse.de>,
Chris Wright <chrisw@sous-sol.org>,
linux-security-module@vger.kernel.org,
Andrew Morgan <agm@google.com>, Andrew Morton <akpm@google.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
lkml <linux-kernel@vger.kernel.org>,
Arjan van de Ven <arjan@infradead.org>, Greg KH <greg@kroah.com>,
Eric Paris <eparis@redhat.com>
Subject: Re: [PATCH try #2] security: Convert LSM into a static interface
Date: Wed, 27 Jun 2007 12:21:02 -0500 [thread overview]
Message-ID: <20070627172102.GB16764@sergelap.austin.ibm.com> (raw)
In-Reply-To: <Line.LNX.4.64.0706271031220.5258@localhost.localdomain>
Quoting James Morris (jmorris@namei.org):
> On Wed, 27 Jun 2007, Serge E. Hallyn wrote:
>
> > Quoting Kyle Moffett (mrmacman_g4@mac.com):
> > > This whole discussion boils down to 2 points:
> >
> > Yes it can, but not the two you list.
> >
> > > 1) As currently implemented, no LSM may be safely rmmod-ed
> >
> > That's not the rationale for the patch, it's just some talking point you
> > picked up. The rationale for the patch is to prevent abuse.
>
> This is not correct. Reducing API abuse is simply a bonus.
>
> The rationale for the patch is to remove unneeded infrastructure which
> complicates security by introducing the idea that the security module can
> be removed at all.
>
> It was in response to your very own posting about the new capabilities
> code which would need to take this into account.
It's (IMO) by far not the optimal "solution" :) If it is felt a
solution is really needed, re-introduction of a
security_ops->module_exit hook and introduction of CAP_SYS_CAPDISABLE
would be better.
But I'm well aware there are far too many (separate and not so separate)
agendas driving this, and have no expectations of being able to stop it.
James, FWIW, I'm sorry I haven't had a chance to actually test the
patch. I'll try to get around to that today or at least this week.
-serge
> Recall:
>
> On Sun, 24 Jun 2007, Serge E. Hallyn wrote:
>
> > > 2) Allocate capability bit-31 for CAP_SETFCAP, and use it to gate
> > > whether the user can set this xattr on a file or not. CAP_SYS_ADMIN is
> > > way too overloaded and this functionality is special.
> >
> > The functionality is special, but someone with CAP_SYS_ADMIN can always
> > unload the capability module and create the security.capability xattr
> > using the dummy module.
> >
> > If we do add this cap, do we want to make it apply to all security.*
> > xattrs?
>
> The underlying issue here is the notion of security mechanisms which are
> built as loadable modules. It's not useful for any in-tree users, and
> introduces several unnecessary problems which then need to be addressed.
>
> A better approach would be to make LSM a statically linked interface.
>
> This would also allow us to unexport the LSM symbols and reduce the API
> abuse by third-party modules.
>
>
>
> - James
> --
> James Morris
> <jmorris@namei.org>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2007-06-27 17:21 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20070611123714.GA2063@sergelap.austin.ibm.com>
[not found] ` <878322.98602.qm@web36606.mail.mud.yahoo.com>
[not found] ` <afff21250706110926l244ddc28i44289cb08a6721e2@mail.gmail.com>
[not found] ` <20070617135239.GA17689@sergelap>
[not found] ` <4676007F.7060503@kernel.org>
[not found] ` <20070618044017.GW3723@sequoia.sous-sol.org>
[not found] ` <20070620171037.GA28670@sergelap.ibm.com>
[not found] ` <20070620174613.GF3723@sequoia.sous-sol.org>
2007-06-21 16:00 ` implement-file-posix-capabilities.patch Serge E. Hallyn
2007-06-23 8:13 ` implement-file-posix-capabilities.patch Andrew Morgan
2007-06-24 15:51 ` implement-file-posix-capabilities.patch Serge E. Hallyn
2007-06-24 16:18 ` implement-file-posix-capabilities.patch James Morris
2007-06-24 20:58 ` [PATCH][RFC] security: Convert LSM into a static interface James Morris
2007-06-24 22:09 ` Chris Wright
2007-06-24 22:37 ` James Morris
2007-06-25 1:38 ` Chris Wright
2007-06-24 23:40 ` Casey Schaufler
2007-06-25 1:39 ` Chris Wright
2007-06-25 3:37 ` Casey Schaufler
2007-06-25 3:57 ` Chris Wright
2007-06-25 13:02 ` Casey Schaufler
2007-06-25 14:24 ` Roberto De Ioris
2007-06-25 4:33 ` [PATCH try #2] " James Morris
2007-06-25 4:48 ` Petr Vandrovec
2007-06-25 4:58 ` James Morris
2007-06-25 16:59 ` Stephen Smalley
2007-06-25 23:56 ` [PATCH try #3] " James Morris
2007-06-25 20:37 ` [PATCH try #2] " Andreas Gruenbacher
2007-06-25 21:14 ` James Morris
2007-06-26 3:57 ` Serge E. Hallyn
2007-06-26 13:15 ` Adrian Bunk
2007-06-26 14:06 ` Serge E. Hallyn
2007-06-26 14:59 ` Adrian Bunk
2007-06-26 15:53 ` Serge E. Hallyn
2007-06-26 18:52 ` Adrian Bunk
2007-06-26 18:18 ` Greg KH
2007-06-26 18:40 ` Serge E. Hallyn
2007-06-26 4:09 ` Kyle Moffett
2007-06-26 4:25 ` Kyle Moffett
2007-06-26 13:47 ` Serge E. Hallyn
2007-06-27 0:07 ` Kyle Moffett
2007-06-27 0:57 ` Crispin Cowan
2007-06-27 1:22 ` Kyle Moffett
2007-06-27 4:24 ` Chris Wright
2007-06-27 13:41 ` Serge E. Hallyn
2007-06-27 14:36 ` James Morris
2007-06-27 17:21 ` Serge E. Hallyn [this message]
2007-06-27 18:51 ` Serge E. Hallyn
2007-06-27 19:28 ` James Morris
2007-06-28 2:48 ` Serge E. Hallyn
2007-06-25 3:57 ` [PATCH][RFC] " Serge E. Hallyn
2007-06-25 4:10 ` Chris Wright
2007-06-25 4:54 ` Serge E. Hallyn
2007-06-25 13:50 ` Casey Schaufler
2007-06-25 13:54 ` James Morris
2007-06-25 14:32 ` Serge E. Hallyn
2007-06-25 15:08 ` Casey Schaufler
2007-06-27 5:00 ` implement-file-posix-capabilities.patch Andrew Morgan
2007-06-27 13:16 ` implement-file-posix-capabilities.patch Serge E. Hallyn
2007-06-28 6:19 ` implement-file-posix-capabilities.patch Andrew Morgan
2007-06-28 13:36 ` implement-file-posix-capabilities.patch Serge E. Hallyn
2007-06-28 15:14 ` implement-file-posix-capabilities.patch Casey Schaufler
2007-06-28 15:38 ` implement-file-posix-capabilities.patch Serge E. Hallyn
2007-06-28 15:56 ` implement-file-posix-capabilities.patch Casey Schaufler
2007-06-29 5:30 ` implement-file-posix-capabilities.patch Andrew Morgan
2007-06-29 13:24 ` implement-file-posix-capabilities.patch Serge E. Hallyn
2007-06-29 14:46 ` implement-file-posix-capabilities.patch Casey Schaufler
2007-06-28 15:50 ` implement-file-posix-capabilities.patch Andrew Morgan
2007-07-02 14:38 ` implement-file-posix-capabilities.patch Serge E. Hallyn
2007-07-04 21:29 ` implement-file-posix-capabilities.patch Andrew Morgan
2007-07-04 23:00 ` implement-file-posix-capabilities.patch Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070627172102.GB16764@sergelap.austin.ibm.com \
--to=serue@us.ibm.com \
--cc=agm@google.com \
--cc=agruen@suse.de \
--cc=akpm@google.com \
--cc=arjan@infradead.org \
--cc=chrisw@sous-sol.org \
--cc=eparis@redhat.com \
--cc=greg@kroah.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mrmacman_g4@mac.com \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).