Posted Feb 1, 2008 17:52 UTC (Fri) by jd
Parent article: LSM: loadable or static?
Loadable security modules are a potential problem, because there's a time prior to them being loaded when the system is potentially insecure. Well, maybe. That would seem to depend on the default access rights. It would seem perfectly possible for certain components to have automatic denial of access unless specifically permitted (a generalization of the ideas in mandatory access controls). In which case, loadable security modules would be less of a security hole.
The only context I can think of is where you have specific needs (such as maintenance of embedded systems) that need special rights but are so infrequent that having the code for those rights permanently present is inefficient use of memory and CPU cycles. This only matters, though, when one or both of these are so heavily constrained that even the tiny difference made by an LSM module would have a significant operational impact.
The question then becomes one of whether the mainstream kernel should actively support such special cases. Are they common enough to be mainlined, or rarities that shouldn't be actively prohibited by kernel design but only really supported by an external patch?
to post comments)