[tomoyo-users-en 517] Harbinger of a shift in Linux Security Modules
(too old to reply)
Tetsuo Handa
2012-11-11 07:49:50 UTC
Raw Message

Regarding LSM infrastructure in Linux kernels, we are getting close to run
multiple LSM modules in parallel. At Linux Security Summit (2012/8/31), we had
a discussion and a demonstration by Casey Schaufler (who is the author of
SMACK) on running multiple LSM modules in parallel and attendee agreed on
proceeding to that direction. From September, Casey has been posting patches
for making it possible and we are now discussing version 6 of the patches.
(The version 6 of the patches seems to be too large to be archived by the ML.)

Along with changes to run multiple LSM modules in parallel, I'm proposing for
legally allowing LKM-based LSM modules which was possible until Linux 2.6.23.
If a LKM is evil, that module will be able to not only hijack the LSM
infrastructure but also do whatever that module wants to do. Therefore, I think
that the choice of disallowing LKM-based LSM modules caused more troubles than
it solved. http://marc.info/?l=linux-security-module&m=135230137022310&w=2
Please see "[tomoyo-users-en 220] AKARI 1.0 released."
( http://sourceforge.jp/projects/tomoyo/lists/archive/users-en/2010-October/000219.html )
for history.

I have been thinking since before this discussion that "Label based access
control alone is not sufficient. Name based access control alone is not
sufficient. It is important that we can run both in parallel and therefore LSM
needs to be changed to allow running multiple LSM modules in parallel", and now
we are getting closer to it. My proposal for "allowing runtime loading of
LKM-based LSM module which implements only what users need" might be also come
true (not sure, but so far no objections).

Below are updates on "[tomoyo-users-en 418] Various news regarding TOMOYO Linux"
( http://sourceforge.jp/projects/tomoyo/lists/archive/users-en/2011-November/000417.html ).

The output of drastic overhaul explained at the bottom of the news was released
as CaitSith, and I introduced CaitSith at this year's LinuxCon North America
and Linux Security Summit. Development of TOMOYO/AKARI/CaitSith became slow
because I'm maintaining these using only leisure hours since this April. Please
wait restfully like ARIA's world (where AKARI and CaitSith are living).
Of course, feedbacks are welcome.

While I'm providing TOMOYO 1.7 binary packages repository for x86_32
architecture, TOMOYO 1.7 supports only kernels up to 2.6.37. Many distributions
using 2.6.37 and earlier kernels reached end of life, and there are quite few
downloads for TOMOYO 1.7 binary packages repository. Therefore, I think it may
be time to discontinue TOMOYO 1.7 binary packages repository. If you still need
it, please let me know by the end of this month.

Below are the latest tarballs.

ccs-patch-1.8.3-20121111.tar.gz MD5: 77772512cf915c3aeb30a9800aa74bf8
akari-1.0.29-20121104.tar.gz MD5: 0000c715b3d97355529cdd01b0d6c666
caitsith-patch-0.1-20121101.tar.gz MD5: 2222bdd8dab49994d919699cdd69a610