| riel | cdub,sarnold: is there anything in particular you want me to say about you ? |
|---|
| sarnold | heh, I can't think of anything that isn't being a smartass :) |
|---|
| cdub | heh, sarnold's cunning intelect and smashing good looks speak for themselves ;-) |
|---|
| riel | *grin* |
|---|
| sarnold | oh dear; my good looks aren't that smashing, so now I have to wonder what cdub is implying about my intellect :) |
|---|
| JALH | I guess. |
|---|
| rsd | is LSM somewhat related to NSA work on security for Linux? |
|---|
| acme | like the netfilter infrastructure? |
|---|
| acme | what other uses do you envision when this infrastructure (i.e. the hooks) are in place? resource control (i.e. kinda like userbeans)? |
|---|
| velco | blob ? like Binary Large OBject ? large ? |
|---|
| acme | kinda like inode->u.generic_ip, netdevice->private, struct sock->protinfo.destruct_hook (yes, I'm overloading the thing) 8) |
|---|
| acme | userbeans: is user quotas for kernel resources, Andrey Savochkin did it and Marcelo Tosatti worked a bit on it in the past |
|---|
| acme | ok, I see, but I can see that it'll end up being generic "enough" for some other uses... 8) |
|---|
| acme | ok, too much "off-topic", I'll not divert you from security anymore 8) |
|---|
| JALH | hiya acme :) |
|---|
| acme | hi JALH |
|---|
| acme | the inode->u.generic_ipnope |
|---|
| acme | nope |
|---|
| acme | :) |
|---|
| riel | will it be possible to use multiple security modules at the same time ? |
|---|
| riel | (say, ACL + vserver) |
|---|
| acme | stackable? |
|---|
| riel | cdub: mmmm, something like ACLs would combine well with something like vserver (virtual servers in one machine) |
|---|
| JALH | maria:) |
|---|
| maluco | cdub : like LIDS do? |
|---|
| maluco | cdub : yes |
|---|
| acme | cdub: using the netfilter existing infrastructure for the network parts of LSM is a nice thing |
|---|
| acme | cdub: but by doing that you're extending a network specific infrastructure and going toward a more generic infrastruture ;) |
|---|
| acme | so netfilter, LSM, EA, userbeans, etc could be a big generic hook infrastructure 8) |
|---|
| acme | I see, embrance, enhance, eliminate^Woops, improve ;) |
|---|
| acme | yes, LTT, I forgot that, how could I 8) |
|---|
| acme | but there are common parts and this is where all the projects can benefit |
|---|
| velco | is LSM concerned with authentication ? where does it get credentials (and veryfier). or it is outside the scope of LSM ? |
|---|
| acme | yup, if you solve one problem in a elegant (whatever that mean ;) ) way, it can be reused in ways the original author din't antecipated |
|---|
| velco | thanks |
|---|
| hensema | I've recently read in some interview that the Hurd is able to run a process without a user concext, eg. without rights. This would enable a ftp server to run without rights (as apposed to running as root on Unix) until a user is logged in. Would something like this be implementable using LSM? |
|---|
| hensema | (running without rights is a gross simplification, BTW) |
|---|
| Jae | which modules are already available ? |
|---|
| riel | MJesus: are you there ? |
|---|
| viZard | another 20 minutes, I rhink |
|---|
| viZard | think |
|---|
| riel | viZard: I think I have to go soon, could you close the lecture when cdub and sarnold are ready ? |
|---|
| riel | that is, point people to http://umeet.uninet.edu/umeet2001/english/prog.eng.html |
|---|
| riel | and set the channel -m ;) |
|---|
| viZard | sure |
|---|
| riel | viZard: also, there seems to be another lecture in 30 minutes |
|---|
| wli | Is it within the scope of LSM design to counteract covert communication channels? |
|---|
| viZard | yes, it is |
|---|
| wli | For instance, driving up system load could be used to propagate a signal. |
|---|
| riel | cdub, sarnold: shall I open #linux for discussion and applause ? |
|---|
| cdub | riel, yes, i think so |
|---|
| riel | ok |
|---|
| sarnold | riel, unless someone else types a question real soon now ... :) |
|---|
| JALH | clap clap clap clap clap clap clap |
|---|
| JALH | :) |
|---|
|
