Re: [RFC] Virtualization steps

[Serge E. Hallyn]

Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx):
> Herbert Poetzl <herbert@xxxxxxxxxxxx> writes:
> 
> > sorry folks, I don't think that we _ever_ want container
> > root to be able to load any kernel modues at any time
> > without having CAP_SYS_ADMIN or so, in which case the
> > modules can be global as well ... otherwise we end up
> > as a bad Xen imitation with a lot of security issues,
> > where it should be a security enhancement ...
> 
> Agreed.  At least until someone defines a user-mode
> linux-security-module.  We may want a different security module

It's been done before, at least for some hooks (ie one implementation by
antivirus folks).  But to actually do this with full support for all
hooks would require some changes.  For example, the security_task_kill()
hook is called under several potential locks.  At least
read_lock(tasklist_lock) and plain rcu_read_lock() (and I thought also
write_lock(tasklist_lock), but can't find that instance right now).

Clearly that can be fixed, but atm a user-mode lsm isn't entirely
possible.

-serge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/