Re: [PATCH] Enhanced Trusted Path Execution (TPE) Linux Security Module

From: Chris Wright
Date: Thu Jan 06 2005 - 00:29:21 EST

Next message: Eric W. Biederman: "Re: [Fastboot] Yet another crash dump tool"
Previous message: Andrea Arcangeli: "Re: [PATCH][5/?] count writeback pages in nr_scanned"
In reply to: Lorenzo Hernández García-Hierro: "[PATCH] Enhanced Trusted Path Execution (TPE) Linux Security Module"
Next in thread: Lorenzo Hernández García-Hierro: "Re: [PATCH] Enhanced Trusted Path Execution (TPE) Linux SecurityModule"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Lorenzo Hernández García-Hierro (lorenzo@xxxxxxx) wrote:
> This patch adds support for an enhanced Trusted Path Execution (TPE)
> subsystem relying in the Linux Security Modules framework.
> It's a rewrite of the IBM's TPE LSM module by Niki A. Rahimi, which
> adds a couple of improvements and feature enhancements.

Thanks for taking interest and working on this.

> The most notable of them are support for per-gid basis access control
> lists in runtime and kernel-configuration time (adds support for trusted
> and untrusted user groups), procfs interface for statistics and runtime
> information and debugging capabilities (for limiting the garbage
> messages).

How does per-gid help in this case (esp. the desktop scenario you
mentioned)? And the /proc/tpe file might as well go under sysfs with
the rest of the other entries instead of cluttering /proc.

> The reasons that give sense for including this, are that standard
> Vanilla kernels have SELinux and LSM (SELinux already supports TPE
> functionalities), but SELinux has less possibilities of being used by
> those desktop or just not experienced users who are not already using
> their distribution-specific SELinux implementation, even if they want
> simple protections for their every-day system use, also, the
> availability of some patch-sets with security enhancements (like
> grsecurity) distracts users of being using the LSM framework or even
> SELinux itself, in addition, this TPE has more features than
> grsecurity's one in terms of per-users and groups acl basis, which make
> easy the management of the TPE protection.
> In short, after a first review you can see that it could worthy to
> include this in the kernel sources.

The two biggest issues are 1) it's trivial to bypass:
$ /lib/ld.so /untrusted/path/to/program
and 2) that there's no (visible/vocal) user base calling for the feature.

So working those issues will help make a better case for mainline
inclusion.

thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Eric W. Biederman: "Re: [Fastboot] Yet another crash dump tool"
Previous message: Andrea Arcangeli: "Re: [PATCH][5/?] count writeback pages in nr_scanned"
In reply to: Lorenzo Hernández García-Hierro: "[PATCH] Enhanced Trusted Path Execution (TPE) Linux Security Module"
Next in thread: Lorenzo Hernández García-Hierro: "Re: [PATCH] Enhanced Trusted Path Execution (TPE) Linux SecurityModule"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]