Re: Linux Security Module Framework (Was: LSM conversion to staticinterface)

From: Jan Engelhardt
Date: Wed Oct 24 2007 - 17:42:35 EST

Next message: Arjan van de Ven: "Re: [PATCH 2.6.24-rc1]EXPORT_SYMBOL(__set_page_dirty_no_writeback);"
Previous message: Chuck Ebbert: "Re: x86_64 and AMD with C1E"
In reply to: Kyle Moffett: "Re: Linux Security *Module* Framework (Was: LSM conversion to static interface)"
Next in thread: Casey Schaufler: "Re: Linux Security *Module* Framework (Was: LSM conversion to static interface)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Oct 24 2007 17:02, David P. Quigley wrote:
>>
>> There has been a feature in the security framework that probably did
>> not get much attention. It looks like YAGNI first, but on a closer look,
>> it becomes useful pretty quick - secondary_register.
>>
>> As more and more simple LSM plugins pop up, stacking/chaining by means
>> of secondary_register becomes attractive again, especially if these LSMs
>> target different actions. This is probably the most useful thing why
>> the LSM interface should remain modular:
>>
>> # Secure my files
>> modprobe apparmor
>> # -*- assuming apparmor implemented secondaries -*-
>> # Secure my ports
>> modprobe portac
>> # More rights to users
>> modprobe multiadm
>> # -*- whatever else comes along -*-

>Apparmor wants to lock down some application, it gives the application
>access to a particular port, and the minimal set of privileges needed to
>execute the application. [...]
>however we now have to compose this with AppArmor. So an administrator
>runs into an error running his application. Is this because his user
>isn't granted the proper escalated privileges? Is it because AppArmor
>needs an extra rule to run the application?

Of course, the example I gave assumed that each LSM had disjunctive
features. Apparmor is primarily known for blocking file access,
and portac for blocking bind(2). If one of these gets additionaly
functionality, it would be nice that code gets combined so that
tracking down the piece of code that caused a particular syscall to
say nay is easier to pinpoint.

>It could also be that our third module has blocked the application
>because it determined that even though multiadm specified that the
>user should have the elevated privileges to run the application that
>user shouldn't be able to bind to that port.
>[...] Stacking works in things such as file systems because we have
>a clearly defined interface with fixed solid semantics. You could
>attempt to do that but once you have modules that step on each
>others toes you have to figure out a way to reconcile that.

I agree - if one does not get the magic behind LSM stacking, s/he
should not use it, or learn to use it.
However, if you grasp how it works (probably even easier to learn
than figuring out how to selinux), one should know that a pam_deny.so
even after a pam_permit.so will lock you down. Yeah, it's like PAM
stacking.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Arjan van de Ven: "Re: [PATCH 2.6.24-rc1]EXPORT_SYMBOL(__set_page_dirty_no_writeback);"
Previous message: Chuck Ebbert: "Re: x86_64 and AMD with C1E"
In reply to: Kyle Moffett: "Re: Linux Security *Module* Framework (Was: LSM conversion to static interface)"
Next in thread: Casey Schaufler: "Re: Linux Security *Module* Framework (Was: LSM conversion to static interface)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: Linux Security *Module* Framework (Was: LSM conversion to staticinterface)

Re: Linux Security Module Framework (Was: LSM conversion to staticinterface)