Re: [RFC v2 2/3] LSM: Add statistics about the invocation of dynamic hooks

From: James Morris
Date: Sun Dec 10 2017 - 17:31:51 EST

Next message: Stephen Rothwell: "linux-next: build warning after merge of the kbuild tree"
Previous message: Peter Hutterer: "Re: [PATCH v2 2/2] HID: input: do not increment usages when a duplicate is found"
In reply to: Casey Schaufler: "Re: [RFC v2 2/3] LSM: Add statistics about the invocation of dynamic hooks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 8 Dec 2017, Sargun Dhillon wrote:

> The purpose of this is similar to the purpose of something like
> iptables -L -n. With the proliferation of LSMs, it's going to
> be more important to have a way to understand what's going on.

The difference with iptables being that it's an application on top of the
netfilter hooks, with strongly defined behavioral semantics for matches
and targets, while their configuration is the security policy.

LSM is more like the raw netfilter layer, and I don't think you can make a
lot of sense from a list of just which hooks are active. You need
semantic knowledge of how those hooks are configured, i.e. security
policy.

I suggest dropping this part for now at least, and perhaps think about
building an API on top of this feature with strongly defined semantics
(e.g. something like iptables on top of netfilter).

- James
--
James Morris
<james.l.morris@xxxxxxxxxx>

Next message: Stephen Rothwell: "linux-next: build warning after merge of the kbuild tree"
Previous message: Peter Hutterer: "Re: [PATCH v2 2/2] HID: input: do not increment usages when a duplicate is found"
In reply to: Casey Schaufler: "Re: [RFC v2 2/3] LSM: Add statistics about the invocation of dynamic hooks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]