Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Fri, 18 Oct 2002 05:58:06 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Fri, 18 Oct 2002 05:58:06 -0400 Received: from abraham.CS.Berkeley.EDU ([128.32.37.170]:22535 "EHLO mx2.cypherpunks.ca") by vger.kernel.org with ESMTP id ; Fri, 18 Oct 2002 05:58:05 -0400 To: linux-kernel@vger.kernel.org Path: not-for-mail From: daw@mozart.cs.berkeley.edu (David Wagner) Newsgroups: isaac.lists.linux-kernel Subject: Re: [PATCH] remove sys_security Date: 18 Oct 2002 02:09:28 -0700 Organization: University of California, Berkeley Distribution: isaac Message-ID: References: <3DAFB260.5000206@wirex.com> NNTP-Posting-Host: mozart.cs.berkeley.edu X-Trace: abraham.cs.berkeley.edu 1034934391 1521 128.32.153.211 (18 Oct 2002 09:46:31 GMT) X-Complaints-To: news@abraham.cs.berkeley.edu NNTP-Posting-Date: 18 Oct 2002 09:46:31 GMT X-Newsreader: trn 4.0-test74 (May 26, 2000) Originator: daw@mozart.cs.berkeley.edu (David Wagner) Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1656 Lines: 31 [this is a re-post here of something I earlier sent to the LSM mailing list] Alexander Viro wrote: >As for "highly secure"... Could we please >see some proof? Clearly stated properties with code audit to verify them >would be nice. There has been some work done on automated analysis of the LSM hooks to verify that hooks are placed everywhere they are needed, and LSM benefitted from this. See, e.g., http://www.usenix.org/publications/library/proceedings/sec02/zhang.html >I'm yet to see a single shred of evidence that so-called security improvements >actually do improve security (as opposed to feeling of security - quite >a different animal). Adding LSM support to the kernel does not itself improve security. However, LSM support enables modules to add security. And yes, there are some substantial security wins available here. Are you familiar with privilege separation in SSH? One of the promises of LSM is that it provides a way that we could systematically apply privilege separation to many (or all) of our security-critical apps. Existing mechanisms in the OS are too coarse-grained to be adequate for privilege separation; LSM gives us a way to change all that. This would be a big improvement in security. I've never been shy of criticizing feel-good solutions. LSM is not a feel-good solution; it's a real step forward. This really is real stuff. This is not snake oil. Honest. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/