lsm-qc-2002-12-10.txt

* andre notes the central issues about LSM as it is w/ any binary class module is the legal aspects and the debates of linking v/s loading, so again Linus has done a great RMS model of muddying the waters of binaries rene more explanation of "access control" versus "full audit"? gregkh andre: nope, we use EXPORT_SYMBOL_GPL, so as to prevent the muddying. rene thanks, clear ShawnX can LSM support functionality mentioned by the OpenBSD people we reguards to Privilage Separation? ShawnX cdub: great! :) ShawnX sorry 'with' reguards :) andre gregkh: not valid for the framework as there has to be a private data pointer for various specifics army are there plans to included auditing when the current model is in the kernel and working? gregkh_ army: not right now, no. army gregkh_: owkee, tnx gregkh army: there's another very good kernel audit project out there from .au, can't remember the name right now, sorry. zanshin Is there a list af objects for which security modules can be written? * andre notes most of these issues on audits and and symbol exoprts are invalid because the simple rule of post the patch against the variation satisfies GPL riel_ cdub: you say that LSM protects objects, but it seems to have callback hooks per system call. riel_ cdub: could you explain why ? ;) zanshin k :) army gregkh: tnx andre cdub: how is the addition of LSM against any other bolt on API different, regardless if it is natively adopted cdub andre can you hold that question just a minute? andre yeah, but you knew it was coming sarnold hehe cdub yes ;-) andre add to the piss in the pot to stir the following: now are all LSM additions derived works and this forced to GPL thus removing the viable secret nature of LSM operations andre now if the secret sauce of each discrete LSM is disclosed, what is the use of LSM period rene cdub: could you give an example of a race here? riel_ andre: flexibility nab andre: I believe the standard response on the LSM mailing list to the former is "ask a lawyer". :-) rene cdub: another kernel level thread? otherwise I don't understand nab cdub: Is it possible to use multiple security modules at the same time, and if so what are the limitations in doing so. riel_ cdub: I guess so ;) rene then it what way could another thread modify foo so that LSM/open cares? sarnold nab: 'stacking' of security modules is possible.. david wheeler has a prototype stacking module that allows modules to be stacked and their results combined in the 'intuitive' way rene nm, I'll just listen andre sarnold: but does stacking create force orders of operations ? sarnold andre, doing stacking in full generality basically re-introduces the big kernel lock. :) if some assumptions are allowed (no unload of modules), it isn't that bad, I don't think. andre sarnold: different problem :-/ * slack is away: I'm busy zanshin are syscall hooks and callbacks pointers to fuctions one should fill in when registering a security module? zanshin i see pdp what regulates "Garbage Collection" nab cdub: How much overhead is associated in using the various hooks, in what section of the kernel (fs ops, socket ops, etc) do the largest performance drawbacks lie? nab cdub: or would this be more related to the implemenation of the hooks inside the security module? ShawnX CLAP CLAP CLAP, cdub, i have to leave work, but im logging this so I will read it tonight :-) pdp But why allow upped sec-levels from un "unsecured sec-level by the Main sec-level ? ?? pdp yes , why allow sudoers ? which in itself is not kosher sarnold pdp: consider the setuid bit .. it allows untrusted users, untrusted applications (shells) to get higher privs when executing the other program.... riel_ cdub: does LSM handle passing of filedescriptors via unix domain sockets ? pdp sarnold: sec-level enhancement like sudo and s-bit should be avoided , as much as possible, exactly then when you want to have security from whitin the kernel which checich checks the privilige of the "user", because that could circumvert the module. sarnold pdp: the module gets to decide whether setuid should work or not... andre yeah andre cdub: how is the addition of LSM against any other bolt on API different, regardless if it is natively adopted cdub andre hehe, i just tried to answer that, perhaps you were netsplit off? andre now are all LSM additions derived works and this forced to GPL thus removing the viable secret nature of LSM operations andre now if the secret sauce of each discrete LSM is disclosed, what is the use of LSM period andre try that one on :-) sarnold andre: flexibility ... a vendor such as redhat can distribute a kernel with LSM turned on cdub heh, ok ;-) * cdub tries it on... sarnold andre: and their users can apply whatever module (policy) they wish... andre MODULE_LICENSE argument is fun, so the LSM API is exported as a GPL only API. zanshin andre: do you have the missing text? I can past it for you. gregkh andre: yup. andre gregkh: so agree that if the API is GPL thus it is forced to be a derived work, by the defined terms of FSF/GPL gregkh andre: I'm not going to get into a license discussion. Look at the code, and draw your own conclusions. * andre is playing the devils advocate andre gregkh: that is the kind of issue which muddies the waters, when the goal of an API is to derive somethning clean rene cdub: thank you, very nice complete answer gregkh cdub: remember the stupid root_plug module now in the kernel tree too :) zanshin Can you explain the part about id's and registering id's once more... when is an object registerd?. And when is it referenced if a syscall is made? And how are the internal hooks hooked on userland syscalls? pffieuw :) rene TE/MLS? rene err, okay :) zanshin very clear thanks! cdub zanshin: sure ;-) fernand0 plas plas plas plas plas plas plas plas plas plast pdp clap clap clap clap viXard Are these modules arch careless? viXard forgive my english :) Generated by irclog2html.pl by Jeff Waugh - find it at freshmeat.net!

`* andre notes the central issues about LSM as it is w/ any binary class module is the legal aspects and the debates of linking v/s loading, so again Linus has done a great RMS model of muddying the waters of binaries`
`rene`	`more explanation of "access control" versus "full audit"?`
`gregkh`	`andre: nope, we use EXPORT_SYMBOL_GPL, so as to prevent the muddying.`
`rene`	`thanks, clear`
`ShawnX`	`can LSM support functionality mentioned by the OpenBSD people we reguards to Privilage Separation?`
`ShawnX`	`cdub: great! :)`
`ShawnX`	`sorry 'with' reguards :)`
`andre`	`gregkh: not valid for the framework as there has to be a private data pointer for various specifics`
`army`	`are there plans to included auditing when the current model is in the kernel and working?`
`gregkh_`	`army: not right now, no.`
`army`	`gregkh_: owkee, tnx`
`gregkh`	`army: there's another very good kernel audit project out there from .au, can't remember the name right now, sorry.`
`zanshin`	`Is there a list af objects for which security modules can be written?`
`* andre notes most of these issues on audits and and symbol exoprts are invalid because the simple rule of post the patch against the variation satisfies GPL`
`riel_`	`cdub: you say that LSM protects objects, but it seems to have callback hooks per system call.`
`riel_`	`cdub: could you explain why ? ;)`
`zanshin`	`k :)`
`army`	`gregkh: tnx`
`andre`	`cdub: how is the addition of LSM against any other bolt on API different, regardless if it is natively adopted`
`cdub`	`andre can you hold that question just a minute?`
`andre`	`yeah, but you knew it was coming`
`sarnold`	`hehe`
`cdub`	`yes ;-)`
`andre`	`add to the piss in the pot to stir the following: now are all LSM additions derived works and this forced to GPL thus removing the viable secret nature of LSM operations`
`andre`	`now if the secret sauce of each discrete LSM is disclosed, what is the use of LSM period`
`rene`	`cdub: could you give an example of a race here?`
`riel_`	`andre: flexibility`
`nab`	`andre: I believe the standard response on the LSM mailing list to the former is "ask a lawyer". :-)`
`rene`	`cdub: another kernel level thread? otherwise I don't understand`
`nab`	`cdub: Is it possible to use multiple security modules at the same time, and if so what are the limitations in doing so.`
`riel_`	`cdub: I guess so ;)`
`rene`	`then it what way could another thread modify foo so that LSM/open cares?`
`sarnold`	`nab: 'stacking' of security modules is possible.. david wheeler has a prototype stacking module that allows modules to be stacked and their results combined in the 'intuitive' way`
`rene`	`nm, I'll just listen`
`andre`	`sarnold: but does stacking create force orders of operations ?`
`sarnold`	`andre, doing stacking in full generality basically re-introduces the big kernel lock. :) if some assumptions are allowed (no unload of modules), it isn't that bad, I don't think.`
`andre`	`sarnold: different problem :-/`
`* slack is away: I'm busy`
`zanshin`	`are syscall hooks and callbacks pointers to fuctions one should fill in when registering a security module?`
`zanshin`	`i see`
`pdp`	`what regulates "Garbage Collection"`
`nab`	`cdub: How much overhead is associated in using the various hooks, in what section of the kernel (fs ops, socket ops, etc) do the largest performance drawbacks lie?`
`nab`	`cdub: or would this be more related to the implemenation of the hooks inside the security module?`
`ShawnX`	`CLAP CLAP CLAP, cdub, i have to leave work, but im logging this so I will read it tonight :-)`
`pdp`	`But why allow upped sec-levels from un "unsecured sec-level by the Main sec-level ? ??`
`pdp`	`yes , why allow sudoers ? which in itself is not kosher`
`sarnold`	`pdp: consider the setuid bit .. it allows untrusted users, untrusted applications (shells) to get higher privs when executing the other program....`
`riel_`	`cdub: does LSM handle passing of filedescriptors via unix domain sockets ?`
`pdp`	`sarnold: sec-level enhancement like sudo and s-bit should be avoided , as much as possible, exactly then when you want to have security from whitin the kernel which checich checks the privilige of the "user", because that could circumvert the module.`
`sarnold`	`pdp: the module gets to decide whether setuid should work or not...`
`andre`	`yeah`
`andre`	`cdub: how is the addition of LSM against any other bolt on API different, regardless if it is natively adopted`
`cdub`	`andre hehe, i just tried to answer that, perhaps you were netsplit off?`
`andre`	`now are all LSM additions derived works and this forced to GPL thus removing the viable secret nature of LSM operations`
`andre`	`now if the secret sauce of each discrete LSM is disclosed, what is the use of LSM period`
`andre`	`try that one on :-)`
`sarnold`	`andre: flexibility ... a vendor such as redhat can distribute a kernel with LSM turned on`
`cdub`	`heh, ok ;-)`
`* cdub tries it on...`
`sarnold`	`andre: and their users can apply whatever module (policy) they wish...`
`andre`	`MODULE_LICENSE argument is fun, so the LSM API is exported as a GPL only API.`
`zanshin`	`andre: do you have the missing text? I can past it for you.`
`gregkh`	`andre: yup.`
`andre`	`gregkh: so agree that if the API is GPL thus it is forced to be a derived work, by the defined terms of FSF/GPL`
`gregkh`	`andre: I'm not going to get into a license discussion. Look at the code, and draw your own conclusions.`
`* andre is playing the devils advocate`
`andre`	`gregkh: that is the kind of issue which muddies the waters, when the goal of an API is to derive somethning clean`
`rene`	`cdub: thank you, very nice complete answer`
`gregkh`	`cdub: remember the stupid root_plug module now in the kernel tree too :)`
`zanshin`	`Can you explain the part about id's and registering id's once more... when is an object registerd?. And when is it referenced if a syscall is made? And how are the internal hooks hooked on userland syscalls? pffieuw :)`
`rene`	`TE/MLS?`
`rene`	`err, okay :)`
`zanshin`	`very clear thanks!`
`cdub`	`zanshin: sure ;-)`
`fernand0`	`plas plas plas plas plas plas plas plas plas plast`
`pdp`	`clap clap clap clap`
`viXard`	`Are these modules arch careless?`
`viXard`	`forgive my english :)`