On Fri, Oct 18, 2002 at 12:04:00AM -0700, Crispin Cowan wrote:
> >I know. but hiding them doesn't make them any better..
> >
> Actuall, yes it does, and that is the point. You don't have to like
> SELinux's system calls, or any other module's syscalls. The whole point
> of LSM was to decouple security design from the Linux kernel development.
But I dislike the notation of module syscalls. Syscalls are a global
thing and they shall not be registered without proper review from
all kernel developers. Driver development is untangled from kernel
development, too and it doesn;t need syscalls.
> There are a butt-load of different access control models, and many of
> them are not compatible with one another. You wouldn't want to support
> them all--that would be serious bloat. So instead, LSM lets each user
> choose the model that suits them:
Fucking no! Don't add syscall interfaces without review. Adding
a new syscall for a "security modules" is sign that you got
your design wrong.
> * server users can choose a highly secure model
> * workstation users can choose something desktop oriented
> * embedded people can choose nothing at all, or the specific
> narrow-cast model that they need
Blah, blah, blah. You don't get more security by pluggin in a buggy
module.
> On the other hand: what is the big cost here? One system call. Isn't
> that actually *lower* overhead than the (say) half dozen
> security-oriented syscalls we might convince you to accept if we drop
> the sys_security syscall as you suggest? Why the fierce desire to remove
> something so cheap?
It's the broken design. Look at windows: it has tons of cheap
features - and exactly because of that it's such a piece of crap.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Oct 23 2002 - 22:00:41 EST