Re: Preview of changes to the Security susbystem for 2.6.36

From: Christian Stroetmann
Date: Mon Aug 02 2010 - 13:29:46 EST

Next message: Christian Stroetmann: "Re: Formal Reiser4 inclusion and todo list?"
Previous message: Randy Dunlap: "Re: linux-next: Tree for August 2 (scsi/pcmcia)"
In reply to: Kees Cook: "Re: Preview of changes to the Security susbystem for 2.6.36"
Next in thread: Kees Cook: "Re: Preview of changes to the Security susbystem for 2.6.36"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Kees;
On the 02.08.2010 18:36, Kees Cook wrote:

Hi Christian,

On Mon, Aug 02, 2010 at 12:19:54PM +0200, Christian Stroetmann wrote:

But we discussed as well that the problem of chaining of small or
large LSMs is not an argument for the existence of the Yama LSM, and
that the LSM architecture should be developed further so that all of
the functionalities of other securtiy packages without an LSM can be
integrated as a whole by a new version of the LSM system in the
future and not by ripping them of like it was done with the Yama LSM
[3].
You can see these objections [3] as a second NAK, but now from a
company's developer (I haven't said this before, because I'm not a
hard core kernel developer).

I'm not sure I understand you, exactly. Are you saying that Yama should not
exist because it might grow into a large LSM?

-Kees

Sorry, but: No, you haven't. In fact we have these lines of discussion:
1. You said "Trying to chain comprehensive LSMs seems like it will always fail, but putting little LSMs in front of big LSMs seems like an easy win." And I said that "I don't think that the problem is if an LSM is small or large."
2a. I said also "[...] you will put more and more functionalities, maybe again taken from other packages, into your new LSM with the result that at the end it will be a big LSM. And then?". Then after point 1. we have a chaining problem of comprehensive LSMs, as you said.
2b. Otherwise, if we have no chaining problem as I said (see point 1.) and your LSM becomes larger, then I said it is better to solve the problem at the side of the LSM architecture and not be ripping off other security packages and put their functionalities into LSMs like it was done by the Yama LSM.

So that doesn't mean that the Yama LSM should not exist because it might grow. It means: If the Yama LMS grows mainly by porting into it functionalities of other security packages that actually have no relation to the LSM system, then it should not exist in favor of a new LSM architecture that enables the integration of those security packages. The Yama LSM should not become a container of functionalities of other already existing security packages. If you put only your own security concepts and methodes into it, then its OK, for sure.
Also, the Yama LSM should not exist if it only dictates the structure of the other LSMs, especially if it becomes large and in this way important to be followed by only growing it with functionalities taken from other security packages. If you say that the way of the Yama LSM is the right way to do it in general, then we don't need a new LSM like Yama, but a new LSM architecture.

Hopefully I could clearify it now a little bit better. Otherwise the night is long :)

Best regards
Christian Stroetmann
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Christian Stroetmann: "Re: Formal Reiser4 inclusion and todo list?"
Previous message: Randy Dunlap: "Re: linux-next: Tree for August 2 (scsi/pcmcia)"
In reply to: Kees Cook: "Re: Preview of changes to the Security susbystem for 2.6.36"
Next in thread: Kees Cook: "Re: Preview of changes to the Security susbystem for 2.6.36"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]