| |||||||||||||
Critical Linux security API is still a kludge (Inquirer)Critical Linux security API is still a kludge (Inquirer)Posted Oct 23, 2006 15:26 UTC (Mon) by ajross (subscriber, #4563)Parent article: Critical Linux security API is still a kludge (Inquirer)
Can someone explain why the existing LSM/SELinux hooks in the kernel are insufficient for this task? They can hook file access and execution already.
(Log in to post comments)
Critical Linux security API is still a kludge (Inquirer) Posted Oct 23, 2006 15:34 UTC (Mon) by ajross (subscriber, #4563) [Link] Never mind. I found the answer on Dazuko's FAQ: href=http://www.dazuko.de/tgen.shtml#LSM To paraphrase, they don't like LSM because (1) the API isn't stable between kernel versions and (2) they don't want to integrate with SELinux or AppArmor, which also use the hooks. These are the "culture shock" complaints you hear from a company used to doing business in the proprietary world: they don't understand that cooperation and collaboration is expected from them as the price of entry. Instead, they want the kernel to "get out of the way" so their product can work without interference, and the easiest way to make that hack work is to hook the syscall table.
Critical Linux security API is still a kludge (Inquirer) Posted Oct 23, 2006 16:11 UTC (Mon) by AJWM (guest, #15888) [Link] > To paraphrase, they don't like LSM because [...] they don't want to integrate with SELinux or AppArmor, which also use the hooks.
The linked FAQ implies that the presence of AppArmor somehow makes the LSM API unavailable to any other module. I don't know enough to judge - could someone provide or point to a description of the LSM API that explains why this might be so, or why dazuko is wrong? I can see why you wouldn't want a security API open to just anyone who asks, but how difficult could it be to tell the first module that loads (eg AppArmor) that it's okay to load dazuko too?
Critical Linux security API is still a kludge (Inquirer) Posted Oct 23, 2006 16:18 UTC (Mon) by ajross (subscriber, #4563) [Link] [...] but how difficult could it be to tell the first module that loads (eg AppArmor) that it's okay to load dazuko too? My reading of this statement in their FAQ is that it's just spin. It's very common for two security solutions to collide, and for very good design reasons. To an AV scanner, another AV scanner look an awful lot like a rootkit. Making them work together, in the open souce world, is called "collaboration," and it makes the software better for everyone. And that seems to be exactly the step that the "Dazuko" jokers want to skip. The article was clearly a troll, and about some IMHO pretty questionable software.
Critical Linux security API is still a kludge (Inquirer) Posted Oct 23, 2006 16:30 UTC (Mon) by nix (subscriber, #2304) [Link] The LSM API intentionally does not stack. Stacking LSM modules that only restrict access is *probably* safe, but how can you be sure that the consequences of ANDing two unrelated modules' constraints together is still secure?
(This annoys me, too, but the reasoning for banning stacking is an absolute killer...)
Stacking IS allowed. Posted Oct 23, 2006 18:44 UTC (Mon) by dwheeler (guest, #1216) [Link] Stacking LSM modules IS allowed, just not in the way that you first consider.When you install an LSM module, it explicitly takes over. If you want to have "stacked" modules, you need to FIRST install a "stacking" LSM module, and THEN install the other modules. The LSM interface was SPECIFICALLY designed to support this. I wrote the first LSM stacking module. But it has now been taken over, and it's now the lsm-stacker project (I no longer have anything to do with it, other than being a fan of the concept). Unfortunately, this module is not currently in the main kernel tree... but that is the eventual intent.
|
|||||||||||||